Question 1

When examining the Windows registry key, the &#34;Last Write Time&#34; indicates:&#10;A) The last time RegEdit was run&#10;B) When a value in that Registry key was altered or added&#10;C) The current system time&#10;D) The number of allowable changes has been exceeded

Accepted Answer

The "Last Write Time" in the Windows registry key indicates the last time a value within that specific registry key was modified or added. This timestamp is updated whenever a change is made to the key's contents, providing a way to track modifications.

Question 2

Forensically acceptable alternatives to using a Windows Evidence Acquisition Boot Disk include all but which of the following?&#10;A) Linux boot floppy&#10;B) FIRE bootable CD-ROM&#10;C) Booting into safe mode&#10;D) Hardware write blockers

Accepted Answer

Booting into safe mode is not a forensically acceptable alternative because it involves booting the original system, which can alter the data on the disk. Linux boot floppy, FIRE bootable CD-ROM, and hardware write blockers are all designed to prevent data alteration during the forensic acquisition process.

Question 3

You find the following deleted file on a floppy disk. How many clusters does this file occupy? $\begin{array}{ll}\text { Name } & \text { Ext } &\text { ID } &\text { Size } &\text {Date } &\text { Time }&\text { Cluster }&\text { 76 A R S H D V }\\\text { \_REENF } \sim 1 & \text { DOC }&\text { Erased }&19968&5-08-03&2:34pm&275&A----\end{array}$

A) 200
B) 78
C) 39
D) 21

39

Accepted Answer

The file size is 19,968 bytes. Assuming a cluster size of 512 bytes (common for floppy disks), the number of clusters occupied by the file is calculated by dividing the file size by the cluster size: 19968 / 512 = 39.

Question 4

Media can be accessed for examination either ________or____________ . (Choose two)&#10;A) Logically&#10;B) Sequentially&#10;C) Randomly&#10;D) Physically

Accepted Answer

The answer of Media can be accessed for examination either...

Question 5

Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data.

Accepted Answer

FAT (File Allocation Table) file systems have a straightforward and well-documented structure, making them an ideal starting point for forensic analysts to learn about file systems and the principles of data recovery, including the recovery of deleted files.

Question 6

File system traces include all of the following EXCEPT:&#10;A) Metadata&#10;B) CMOS settings&#10;C) Swap file contents&#10;D) Data object date-time stamps

Accepted Answer

CMOS settings are not included in file system traces. File system traces typically involve data related to the management and organization of files on a storage device, such as metadata, swap file contents, and data object date-time stamps. CMOS settings, on the other hand, are related to system configuration and hardware settings stored in the CMOS memory, not file system management.

Question 7

The Windows NT Event log Appevent.evt:&#10;A) Contains a log of application usage&#10;B) Records activities that have security implications, such as logins&#10;C) Notes system events such as shutdowns&#10;D) None of the above

Accepted Answer

The Windows NT Event log Appevent.evt specifically contains a log of application events, which includes information about application usage, errors, and informational events related to software applications running on the system.

Question 8

When a file is moved within a volume, the Last Accessed Date Time:&#10;A) Is unchanged&#10;B) Changes if a file is moved to different directory&#10;C) Changes if a file is moved to the root&#10;D) Is unchanged; however, the Created Date-Time does change

Accepted Answer

When a file is moved within the same volume, its Last Accessed Date Time remains unchanged. The action of moving a file within the same volume does not count as accessing the file's content, hence the Last Accessed Date Time does not update.

Question 9

Before evidentiary media is &#34;acquired,&#34; forensic examiners often______________ the media to make sure it contains data relevant to the investigation.&#10;A) Hash&#10;B) Preview&#10;C) Validate&#10;D) Analyze

Accepted Answer

Previewing allows forensic examiners to determine if the media contains relevant data before fully acquiring it for detailed analysis.

Question 10

With the correct CMOS setting, it is possible to mount a hard drive as Read-Only in the Windows environment.

Accepted Answer

CMOS settings do not control how a hard drive is mounted (read-only or read-write) in the Windows environment; this is managed within the operating system or through specific software tools designed for disk management.

Question 11

Which of the following issues is NOT one that a forensic examiner faces when dealing with Windows-based media?&#10;A) Invasive characteristics of the Windows environment&#10;B) The facility in the standard Windows environment for mounting a hard drive as Read-Only&#10;C) The location, organization, and content of Windows system log files&#10;D) Available methods for recovering data from Windows media

Accepted Answer

The answer of Which of the following issues is NOT...

Question 12

EnCase provides the means to create a Windows Evidence Acquisition Boot Disk to allow for network acquisition of an evidence drive.

Accepted Answer

The answer of EnCase provides the means to create a...

Question 13

When examining the &#34;news.rc,&#34; you find the following entry: &#10;$$\text { alt.binaries.hacking.utilities! } 1 - 8905,8912,8921,8924,8926,8929,8930,8932$$&#10;What does the &#34;!&#34; mean?&#10;A) The user is subscribed to this group.&#10;B) The user was once subscribed, but is currently unsubscribed, to this group.&#10;C) The group is up to date.&#10;D) The last message retrieval was aborted.

Accepted Answer

The answer of When examining the &#34;news.rc,&#34; you find the...

Question 14

Usenet readers store all the URLs that have been accessed, but do not record which Usenet newsgroups have been accessed and joined.

Accepted Answer

The answer of Usenet readers store all the URLs that...

Question 15

The Windows NT Event log Secevent.evt:&#10;A) Contains a log of application usage&#10;B) Records activities that have security implications, such as logins&#10;C) Notes system events such as shutdowns&#10;D) None of the above

Accepted Answer

The answer of The Windows NT Event log Secevent.evt:&#10;A) Contains...

Question 16

The standard Windows environment supports all of the following file systems EXCEPT____________ .&#10;A) FAT16&#10;B) ext2&#10;C) FAT32&#10;D) NTFS

Accepted Answer

The answer of The standard Windows environment supports all of...

Question 17

6 . Which of the following software tools is NOT used for data recovery?&#10;A) WinHex (X-Ways) Forensic&#10;B) EnCase&#10;C) FTK&#10;D) Safeback

Accepted Answer

The answer of 6 . Which of the following software...

Question 18

The Windows environment is invasive and poses a challenge to forensic examiners.

Accepted Answer

The answer of The Windows environment is invasive and poses...

Question 19

Internet traces may be found in which of the following categories?&#10;A) Web browser cache&#10;B) Instant messenger cache&#10;C) Cookies&#10;D) All of the above

Accepted Answer

The answer of Internet traces may be found in which...

Question 20

Log files are used by the forensic examiner to_________ .&#10;A) Associate system events with specific user accounts&#10;B) Verify the integrity of the file system&#10;C) Confirm login passwords&#10;D) Determine if a specific individual is the guilty party

Accepted Answer

The answer of Log files are used by the forensic...

Question 21

The MD5 hashing algorithm is no longer considered to be a reliable method for determining whether two blocks of text are identical.

Accepted Answer

The answer of The MD5 hashing algorithm is no longer...

Question 22

Just like Windows NT, Windows 98 has event logs that record system activities.

Accepted Answer

The answer of Just like Windows NT, Windows 98 has...

Question 23

NTFS time represents time as the number of 100-nanosecond intervals since January 1, 1601 00:00:00 UTC.

Accepted Answer

The answer of NTFS time represents time as the number...

Question 24

In FAT32 file systems both the directory and FAT entries are updated when a file is deleted.

Accepted Answer

The answer of In FAT32 file systems both the directory...

Question 25

EnCase can recover deleted files but does not have the capability of recovering deleted directories.

Accepted Answer

The answer of EnCase can recover deleted files but does...

Question 26

&#34;File carving&#34; is an examination technique where the beginning and end of a file are located, and the block of data spanning the two locations is copied to a new file, with the appropriate extension.

Accepted Answer

The answer of &#34;File carving&#34; is an examination technique where...

Question 27

Windows evidentiary media must be acquired and examined with Windows-based examination software.

Accepted Answer

The answer of Windows evidentiary media must be acquired and...

Question 28

In the Windows environment, simply opening a file to read, without writing it back to disk, can change the date-time stamp.

Accepted Answer

The answer of In the Windows environment, simply opening a...

Question 29

In NTFS, when a file is deleted from a directory, the last modified and accessed date-time stamps of the parent directory listing are updated.

Accepted Answer

The answer of In NTFS, when a file is deleted...

Question 30

A forensic examiner would use logical access to examine media if the file and directory structures were to be analyzed.

Accepted Answer

The answer of A forensic examiner would use logical access...

Deck 17: Digital Evidence on Windows Systems