Chat with AI
Deck 5: Working With Windows and Cli Systems
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 5: Working With Windows and Cli Systems
1
A computer stores system configuration and date and time information in the BIOS when power to the system is off.
False
2
What does the MFT header field at offset 0x00 contain?
A)The MFT record identifier FILE
B)The size of the MFT record
C)The length of the header
D)The update sequence array
A)The MFT record identifier FILE
B)The size of the MFT record
C)The length of the header
D)The update sequence array
A
3
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:
A)FAT12
B)FAT32
C)exFAT
D)VFAT
A)FAT12
B)FAT32
C)exFAT
D)VFAT
C
4
A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
A)0x1CE
B)0x1BE
C)0x1AE
D)0x1DE
A)0x1CE
B)0x1BE
C)0x1AE
D)0x1DE
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
Which of the following is not a valid configuration of Unicode?
A)UTF-8
B)UTF-16
C)UTF-32
D)UTF-64
A)UTF-8
B)UTF-16
C)UTF-32
D)UTF-64
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
What registry file contains installed programs' settings and associated usernames and passwords?
A)Default.dat
B)Security.dat
C)Software.dat
D)System.dat
A)Default.dat
B)Security.dat
C)Software.dat
D)System.dat
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
Which of the following commands creates an alternate data stream?
A)echo text > myfile.txt:stream_name
B)ads create myfile.txt{stream_name} "text"
C)cat text myfile.txt=stream_name
D)echo text < myfile.txt?stream_name
A)echo text > myfile.txt:stream_name
B)ads create myfile.txt{stream_name} "text"
C)cat text myfile.txt=stream_name
D)echo text < myfile.txt?stream_name
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.
A)registry
B)storage
C)hive
D)tree
A)registry
B)storage
C)hive
D)tree
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
What term is used to describe a disk's logical structure of platters, tracks, and sectors?
A)cylinder
B)trigonometry
C)geometry
D)mapping
A)cylinder
B)trigonometry
C)geometry
D)mapping
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
The ___________ command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry.
A)delete
B)edit
C)update
D)clear
A)delete
B)edit
C)update
D)clear
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
FAT32 is used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
Each MFT record starts with a header identifying it as a resident or nonresident attribute.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
When using the File Allocation Table (FAT), where is the FAT database typically written to?
A)The innermost track
B)The outermost track
C)The first sector
D)The first partition
A)The innermost track
B)The outermost track
C)The first sector
D)The first partition
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
The ReFS storage engine uses a __________ sort method for fast access to large data sets.
A)A+-tree
B)B+-tree
C)reverse
D)numerical
A)A+-tree
B)B+-tree
C)reverse
D)numerical
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
A typical disk drive stores how many bytes in a single sector?
A)8
B)512
C)1024
D)4096
A)8
B)512
C)1024
D)4096
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?
A)PGP Full Disk Encryption
B)Voltage SecureFile
C)BestCrypt
D)TrueCrypt
A)PGP Full Disk Encryption
B)Voltage SecureFile
C)BestCrypt
D)TrueCrypt
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks?
A)Disk Track Recording (DTR)
B)Zone Based Areal Density (ZBAD)
C)Zone Bit Recording (ZBR)
D)Cylindrical Head Calculation (CHC)
A)Disk Track Recording (DTR)
B)Zone Based Areal Density (ZBAD)
C)Zone Bit Recording (ZBR)
D)Cylindrical Head Calculation (CHC)
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
A)$MftMirr
B)$TransAct
C)$LogFile
D)$Backup
A)$MftMirr
B)$TransAct
C)$LogFile
D)$Backup
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
Match each term with the correct definition below:
-?A 16-bit program that identifies hardware components during startup snd sends the information to Ntldr.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-?A 16-bit program that identifies hardware components during startup snd sends the information to Ntldr.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
Match each term with the correct definition below:
-?The device that reads and writes data to a disk drive.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-?The device that reads and writes data to a disk drive.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
Addresses that allow the MFT to link to nonresident files are known as _______________.
A)virtual cluster numbers
B)logical cluster numbers
C)sequential cluster numbers
D)polarity cluster numbers
A)virtual cluster numbers
B)logical cluster numbers
C)sequential cluster numbers
D)polarity cluster numbers
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
What term below describes a column of tracks on two or more disk platters?
A)sector
B)cluster
C)cylinder
D)header
A)sector
B)cluster
C)cylinder
D)header
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
What command below can be used to decrypt EFS files?
A)cipher
B)copy
C)efsrecvr
D)decrypt
A)cipher
B)copy
C)efsrecvr
D)decrypt
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
Match each term with the correct definition below:
-?The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use this to organize files on a disk so that the OS can find the files it needs.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-?The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use this to organize files on a disk so that the OS can find the files it needs.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
Match each term with the correct definition below:
-?Concentric circles on a disk platter where data is stored.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-?Concentric circles on a disk platter where data is stored.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
What hexadecimal code below identifies an NTFS file system in the partition table??
A)?05
B)?07
C)1B
D)A5
A)?05
B)?07
C)1B
D)A5
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Match each term with the correct definition below:
-?A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-?A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
What registry file contains user account management and security settings?
A)Default.dat
B)Software.dat
C)SAM.dat
D)Ntuser.dat
A)Default.dat
B)Software.dat
C)SAM.dat
D)Ntuser.dat
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
The _______________ executable is the Windows Boot Manager program, which controls boot flow and allows booting multiple OSs.?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
Match each term with the correct definition below:
-?Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-?Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
Match each term with the correct definition below:
-A new file system developed for Windows Server 2012. It allows increased stability for disk storage and improved features for data recovery and error checking.?
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-A new file system developed for Windows Server 2012. It allows increased stability for disk storage and improved features for data recovery and error checking.?
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
The purpose of a ______________ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
Match each term with the correct definition below:
-A public?/ private key encryption first used in Windows 2000 on NTFS-formatted disks. The file encrypted with a symmetric key, and then a public?/ private key is used to encrypt the symmetric key.?
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-A public?/ private key encryption first used in Windows 2000 on NTFS-formatted disks. The file encrypted with a symmetric key, and then a public?/ private key is used to encrypt the symmetric key.?
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
___________ are made up of one or more platters coated with magnetic material, and data is stored in a particular way.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
The ______________ is the device that reads and writes data to a drive.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
Match each term with the correct definition below:
-?The file system that Microsoft created to replace FAT. It uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-?The file system that Microsoft created to replace FAT. It uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
Match each term with the correct definition below:
-?A file that specifies the Windows path installation and a variety of other startup options.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
-?A file that specifies the Windows path installation and a variety of other startup options.
A)Boot.ini
B)bootstrap process
C)Encryption File System
D)File Allocation Table (FAT)
E)tracks
F)head
G)NTBootdd.sys
H)NTDetect.com
I)NT File System
J)Resilient File System
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
_____________ is composed of the unused space in a cluster between the end of an active file's content and the end of the cluster.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called Encrypting File System (EFS). Explain how EFS works.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
To help prevent loss of information, software vendors, including Microsoft, now provide whole disk encryption. This feature creates new challenges in examining and recovering data from drivers. What are four features offered by whole disk encryption tools that forensics examiners should be aware of?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
What does the $Secure metadata file contain?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
Why are alternate data streams of particular interest when examining NTFS disks?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
What is a partition gap, and how might it be used to hide data?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
With the release of Windows Server 2012, Microsoft created a new file system: Resilient File System (ReFS). State the features that are incorporated into ReFS's design.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
Describe both ways in which file or folder information is typically stored in an MFT record.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
Describe the three current versions of FAT.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
Compare the methods for deleting NTFS files.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
Explain the difference between logical addresses and physical addresses in Microsoft file structures.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
