ITN 276 quiz 8

¡Supera tus tareas y exámenes ahora con Quizwiz!

A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.

virtual machine

The Windows __________ log contains successful and unsuccessful logon events.

Security

__________ is a storage controller device driver in Windows.

Ntbootdd.sys

Which tool uses a brute-force approach to enumerating processes and threads in a memory dump from a Windows system?

PTFinder

What is the definition of dump?

A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper

The program that handles tasks like creating threads, console windows, and so forth in Windows is __________.

Crss.exe

In Windows, file permissions never change when moving a file.

False

In modern versions of Windows, you can view event logs in File Explorer.

False

The Windows ForwardedEvents log has both successful and unsuccessful logon events recorded.

False

The Windows Security log contains events logged by Windows system components.

False

The Windows Registry is organized into five sections. The __________ section stores information about drag-and-drop rules, program shortcuts, the user interface, and related items.

HKEY_CLASSES_ROOT (HKCR)

The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.

HKEY_LOCAL_MACHINE (HKLM)

The Windows Registry is organized into five sections. The __________ section is critical to forensic investigations. It has profiles for all the users, including their settings.

HKEY_USERS (HKU)

__________ is a Windows file that is an interface for hardware.

Hal.dll

What is the definition of stack (S)?

Memory that is allocated based on the last-in, first-out (LIFO) principle

Which tool can tell you system uptime (time since last reboot), operating system details, and other general information about a Windows system? PsList

PsInfo

Which tool lets you view process and thread statistics on a Windows system?

PsList

The Windows swap file is used to augment the __________.

RAM

What is the repository of all the information on a Windows system?

Registry

Marty is investigating the computer of a cyberstalking suspect. He wanted to check the suspect's browsing history in Microsoft Internet Explorer but it had already been erased. Where else can he look on the computer for browsing history information?

The index.dat file

What is meant by "slurred image"?

The result of acquiring a file as it is being updated

A virtual machine is a software program that appears to be a physical computer and executes programs as if it were a physical computer.

True

Alternate data streams are essentially a method of attaching one file to another file, using the NTFS file system.

True

Information about USB devices that have been connected to a Windows computer is stored the Windows Registry.

True

Regarding the Windows boot process, the term power-on self test (POST) refers to a brief hardware test that the basic input/output system (BIOS) performs upon boot-up.

True

Some malware on Windows computers modify the Windows Registry.

True

The Windows Applications and Services log stores events from a single application or component rather than events that might have system-wide impact.

True

The Windows swap file is also referred to as virtual memory.

True

The passphrase needed to connect to a Wi-Fi network on a Windows computer is stored in the Windows Registry.

True

Toolkits that collect volatile memory data rely on the underlying operating system, which is a drawback.

True

Userdump is a command-line tool for dumping basic user information from Windows-based systems.

True

When an individual connects to a wireless network, the service set identifier (SSID) is logged as a preferred network connection.

True

When dumping memory on a Windows computer, the forensic examiner may have to work with two types of memory: heap (h) and stack (S).

True

You can install 32-bit programs on a 64-bit system.

True

__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.

Volatile memory analysis

Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment

data consistency

The Windows Registry is organized into five sections referred to as __________. data streams

hives

The Windows program that handles security and logon policies is __________.

lsass.exe

A Windows program that queries the computer for basic device or configuration data like time/date from CMOS, system bus types, ports, and so on is __________.

ntdetect.com

On a Windows computer, the __________ is a special place on the hard drive where items from memory can be temporarily stored for fast retrieval.

swap file


Conjuntos de estudio relacionados

MRU 6.3 Real GDP Per Capita and the Standard of Living

View Set

NurseLogic Testing and Remediation Beginner

View Set

Sales and Marketing Applications

View Set

Nursing Fundamentals Review Questions (set 3)

View Set

Fin. Lit. - Ch. 6-7 Test Study Guide

View Set