C702 Final Review UPDATED ACTUAL
Exam Questions and CORRECT Answers
Which Event Correlation Approach checks and compares all the fields systematically and
intentionally for positive and negative correlation with each other to determine the correlation
across one or multiple fields?
graph-based approach
rule-based approach
field-based approach
automated field correlation - CORRECT ANSWER -D
Minimizing the tangible and intangible losses to the organization or an individual is considered
an essential computer forensics use.
A. True
B. False - CORRECT ANSWER -A
Which field type refers to the volume descriptor as a primary?
A. Number 2
B. Number 0
C. Number 1
D. Number 3 - CORRECT ANSWER -C
This phase of EFI consists of initialization code that the system executes after powering the EFI
system on. It manages platform reset events and sets the system so that it can find, validate,
install, and run the PEI.
A. SEC
,B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -A
Most of the initialization happens in this phase. Using the Hand-Off Block List (HOBL), it
initializes the entire system physical memory, I/O, and MIMO (Memory Mapped Input Output)
resources and finally begins dispatching DXE Drivers present in the system Firmware Volumes
(given in the HOBL). The DXE core produces a set of EFI Boot Services and EFI Runtime
Services. The EFI Boot Services provided are allocating memory and loading executable images.
The EFI Runtime services provided are converting memory addresses from physical to virtual
while handing over to the kernel, and resetting the CPU, to code running within the EFI
environment or within the OS kernel once the CPU takes the control of the system.
A. SEC
B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -C
This phase initializes the CPU, temporary memory, and boot firmware volume (BFV). It locates
and executes the Pre Initialization chapters (PEIMs) present in the BFV so as to initialize all the
found hardware in the system. Finally, it creates a Hand-Off Block List with all found resources
interface descriptors and passes it to the next phase i.e. the DXE phase.
A. SEC
B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -B
,In this phase, the BDS interprets the boot configuration data and selects the Boot Policy for later
implementation. This phase works with the DXE to check if the device drivers require signature
verification.In this phase, the system loads MBR boot code into memory for Legacy BIOS Boot
or loads the Bootloader program from the EFI partition for UEFI Boot. It also provides an option
for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.
A. SEC
B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -D
At this point, the system clears the UEFI program from memory and transfers it to the OS.
During UEFI BIOS update the OS calls the run time service using a small part of the memory.
A. SEC
B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -E
Which of the following basic partitioning tools displays details about GPT partition tables in
Windows OS?
A. DiskPart
B. Gparted
C. Disk Utility
D. Fdisk - CORRECT ANSWER -A
, How large is the partition table structure that stores information about the partitions present on
the hard disk?
A. 32-byte
B. 64-bit
C. 64-byte
D. 32-bit - CORRECT ANSWER -C
How many bits are used by the MBR partition scheme for storing LBAs (Logical Block
Addresses) and the size information on a 512-byte sector?
A. 128
B. 64
C. 256
D. 32 - CORRECT ANSWER -D
Which of the following basic partitioning tools displays details about GPT partition tables in
Windows OS?
A. DiskPart
B. Gparted
C. Disk Utility
D. Fdisk - CORRECT ANSWER -A
What component of a typical FAT32 file system consists of data that the document framework
uses to get to the volume and utilizes the framework parcel to stack the working portion
documents?
A. Boot Sector
B. FAT Area
Exam Questions and CORRECT Answers
Which Event Correlation Approach checks and compares all the fields systematically and
intentionally for positive and negative correlation with each other to determine the correlation
across one or multiple fields?
graph-based approach
rule-based approach
field-based approach
automated field correlation - CORRECT ANSWER -D
Minimizing the tangible and intangible losses to the organization or an individual is considered
an essential computer forensics use.
A. True
B. False - CORRECT ANSWER -A
Which field type refers to the volume descriptor as a primary?
A. Number 2
B. Number 0
C. Number 1
D. Number 3 - CORRECT ANSWER -C
This phase of EFI consists of initialization code that the system executes after powering the EFI
system on. It manages platform reset events and sets the system so that it can find, validate,
install, and run the PEI.
A. SEC
,B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -A
Most of the initialization happens in this phase. Using the Hand-Off Block List (HOBL), it
initializes the entire system physical memory, I/O, and MIMO (Memory Mapped Input Output)
resources and finally begins dispatching DXE Drivers present in the system Firmware Volumes
(given in the HOBL). The DXE core produces a set of EFI Boot Services and EFI Runtime
Services. The EFI Boot Services provided are allocating memory and loading executable images.
The EFI Runtime services provided are converting memory addresses from physical to virtual
while handing over to the kernel, and resetting the CPU, to code running within the EFI
environment or within the OS kernel once the CPU takes the control of the system.
A. SEC
B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -C
This phase initializes the CPU, temporary memory, and boot firmware volume (BFV). It locates
and executes the Pre Initialization chapters (PEIMs) present in the BFV so as to initialize all the
found hardware in the system. Finally, it creates a Hand-Off Block List with all found resources
interface descriptors and passes it to the next phase i.e. the DXE phase.
A. SEC
B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -B
,In this phase, the BDS interprets the boot configuration data and selects the Boot Policy for later
implementation. This phase works with the DXE to check if the device drivers require signature
verification.In this phase, the system loads MBR boot code into memory for Legacy BIOS Boot
or loads the Bootloader program from the EFI partition for UEFI Boot. It also provides an option
for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.
A. SEC
B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -D
At this point, the system clears the UEFI program from memory and transfers it to the OS.
During UEFI BIOS update the OS calls the run time service using a small part of the memory.
A. SEC
B. PEI
C. DXE
D. BDS
E. RT - CORRECT ANSWER -E
Which of the following basic partitioning tools displays details about GPT partition tables in
Windows OS?
A. DiskPart
B. Gparted
C. Disk Utility
D. Fdisk - CORRECT ANSWER -A
, How large is the partition table structure that stores information about the partitions present on
the hard disk?
A. 32-byte
B. 64-bit
C. 64-byte
D. 32-bit - CORRECT ANSWER -C
How many bits are used by the MBR partition scheme for storing LBAs (Logical Block
Addresses) and the size information on a 512-byte sector?
A. 128
B. 64
C. 256
D. 32 - CORRECT ANSWER -D
Which of the following basic partitioning tools displays details about GPT partition tables in
Windows OS?
A. DiskPart
B. Gparted
C. Disk Utility
D. Fdisk - CORRECT ANSWER -A
What component of a typical FAT32 file system consists of data that the document framework
uses to get to the volume and utilizes the framework parcel to stack the working portion
documents?
A. Boot Sector
B. FAT Area
