Chapter 5 Computer Forensics

¡Supera tus tareas y exámenes ahora con Quizwiz!

NTBootdd.sys

. A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.

Bytes in Sector

512

NTDetect.com

A 16-bit program that identifies hardware components during startup and sends the information to Ntldr.

0x1BE

A Master Boot Record (MBR) partition table this offset marks the first partition

Boot.ini

A file that specifies the Windows path installation and a variety of other startup options

Resilient File System (ReFs)

A new file system developed for Windows Server 2012. It allows increased stability for disk storage and improved features for data recovery and error checking.

Encryption file system

A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.

Logical Cluster Numbers

Addresses that allow the MFT to link to nonresident files

Why are alternate data streams of particular interest when examining NTFS disks?

Alternate data streams can obscure valuable evidence data, intentionally or unintentionally

Tracks

Concentric circles on a disk platter where data is stored.

$Secure metadata file

Contains security files, unique security descriptors. Where the acces control list is maintained for all files and folders on the NTFS

exFAT

File system was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks

Hexidecimal 07

Identifies an NTFS file system in a partition table

Bootstrap Process

Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.

Offset 0x14

Length of the header which indicates where the next attribute starts' its typically 0x38 bytes

Offset 0x00

MFT record identifier FILE

Which Microsoft OS's use FAT32?

OS's that require access to larger drives that are large than 2GB

MTF record identifier file

Offset 0x00 MFT Header Field

When data is deleted on a FAT or NTFS hard drive what happens?

Only the references to it are removed, which leaves the original data on unallocated space.

Resilient File System features

Provides large scale data access capability. Increased stability for disk storage Improved features for data recovery and error checking

Offset 0x1x to 0x1F

Size of the MFT record, the default is 0x400(1024 bytes or 2 sectors)

B + - tree

The ReFS storage engine uses a this sort method for fast access to large data sets

Hive

The branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System

efsrecvr

The command can be used to decrypt EFS files

Head

The device that reads and writes data to a disk drive.

New Technology File System (NTFS)

The file system that Microsoft created to replace FAT. It uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system.

$LogFile

The metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume.

File Allocation Table (FAT)

The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use this to organize files on a disk so that the OS can find the files it needs.

Recovery certificate

The purpose of this is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.

Software.dat

The registry file that contains installed programs' settings and associated usernames and passwords

SAM.dat

The registry file that contains user account management and security settings

Zone bit record or ZBR

The technique most manufacturers use in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks.

Geometry

The term is used to describe a disk's logical structure of platters, tracks, and sectors

cylinders

The term that describes a column of tracks on two or more disk platters

TrueCrypt

The third party encryption tool that creates a virtual encrypted volume, which is a file mounted as though it were a disk drive

Offset 0x32 and 0x33

The update sequence array

Disk Drive

These are made up of one or more platters coated with magnetic material, and data is stored in a particular way.

echo text > myfile. txt:stream_name

These commands create an alternate data stream

Delete

This command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry

Bootmgr.exe

This executable is the Windows Boot Manager program, which controls boot flow and allows booting multiple OSs

Valid Configurations of Unicode

UTF-8 UTF-16 UTF-32

Partition Gap

Unused space or void between the primary partition and the first logical partition

How to hide data with a partition gap.

Users can remove references to partitions to hide data in Window and use large gaps so that they look unused

Drive slack

composed of the unused space in a cluster between the end of an active file's content and the end of the cluster

Head

the device that reads and writes data to a drive


Conjuntos de estudio relacionados

Vocabulaire Hermaion: Etapes 13-15

View Set

Fundamentals of Network Security Chapter 10, SECURITY+ GUIDE TO NETWORK SECURITY - CH1, Fundamentals of Network Security Chapter 9, Fundamentals of Network Security Chapter 8, Security - Chapter 7, Security - Chapter 6, Fundamentals of Network Securi...

View Set

Structure and Function Chapters 15, 16, & 17

View Set

KM Exam 2 Practice - Group, Crisis, Personality DO

View Set

3.4 Understanding the Entity and Its Environment

View Set

Microeconomics 1B: Chapter 8 - Firms, the Stock Market, and Corporate Governance

View Set