Module 5
File and directory names are some of the items stored in the FAT database. True False
True
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors. True False
True
In NTFS, files smaller than 512 bytes are stored in the MFT. True False
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows. True False
True
MFT stands for Master File Table. True False
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop. True False
True
The first 5 bytes (characters) for all MFT records are FILE. True False
True
The type of file system an OS uses determines how data is stored on the disk. True False
True
Typically, a virtual machine consists of just one file. True False
True
What is the space on a drive called when a file is deleted? Disk space Unallocated space Drive space None of the above
Unallocated space
List two features NTFS has that FAT does not. MRU records and file attributes Master File Table and MRU records Unicode characters and better security MRU records and less fragmentation
Unicode characters and better security
What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment? A logic machine A logic drive A virtual file A virtual machine
A virtual machine
What term refers to the number of bits in one square inch of a disk platter? Cylinder skew Areal density ZBR Head skew
Areal density
What specifies the Windows XP path installation and contains options for selecting the Windows version? sys BootSec.dos Boot.ini NTDetect.comd. NTBootd
Boot.ini
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True False
False
EFS can encrypt which of the following? Files, folders, and volumes Certificates and private keys The global Registry Network servers
Files, folders, and volumes
What is on an NTFS disk immediately after the Partition Boot Sector? FAT HPFS MBR MFT
MFT
What does the Ntuser.dat file contain? File and directory names Starting cluster numbers File attributes MRU files list
MRU files list
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS? Ntoskrnl.exe NTBootdd.sys Hal.dll Boot.ini
NTBootdd.sys
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr? Boot.ini BootSect.dos Hal.dll NTDetect.com
NTDetect.com
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10? FAT32 HPFS NTFS VFAT
NTFS
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? 5% 10% 15% None of the above
None of the above
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM? Ntkrnlpa.exe BootSect.dos Io.sys Hal.dll
Ntkrnlpa.exe
Which of the following Windows 8 files contains user-specific information? User.dat Ntuser.dat System.dat SAM.dat
Ntuser.dat
Areal density refers to which of the following? Number of bits per disk Number of bits per partition Number of bits per square inch of a disk platter Number of bits per platter
Number of bits per square inch in a disk platter
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user's original private key? Administrator certificate Escrow certificate Root certificate Recovery certificate
Recovery certificate
A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT. True False
True
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. True False
True
An image of a suspect drive can be loaded on a virtual machine. True False
True
CHS stands for cylinders, heads, and sectors. True False
True
Device drivers contain instructions for the OS on how to interface with hardware devices. True False
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack. True False
True
Clusters in Windows always begin numbering at what number? 1 2 3 4
2
In FAT32, a 123-KB file uses how many sectors? 123 185 246 255
246
How many sectors are typically in a cluster on a disk drive? 1 2 or more 4 or more 8 or more
4 or more
On a Windows system, sectors typically contain how many bytes? 256 512 1024 2048
512
In the NTFS MFT, all files and folders are stored in separate records of how many bytes each? 1512 2048 2512 1024
1024
What term refers to a column of tracks on two or more disk platters? Head Cylinder Track Sector
Cylinder
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called? Metadata Metaruns Virtual runs Data runs
Data runs
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced? LZH EFS RAR VFAT
EFS
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks? VFAT FAT32 NTFS FAT
FAT
As data is added, the MFT can expand to take up 75% of the NTFS disk. True False
False
BIOS boot firmware was developed to provide better protection against malware than EFI does developed? True False
False
From a network forensics standpoint, there are no potential issues related to using virtual machines. True False
False
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? The file can no longer be encrypted. EFS protection is maintained on the file. The file is unencrypted automatically. Only the owner of the file can continue to access it.
The file is unencrypted automatically
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated? The registry The inidata The inirecord The metadata
The registry
Virtual machines have which of the following limitations when running on a host computer? Internet connectivity is restricted to virtual Web sites. Applications can be run on the virtual machine only if they're resident on the physical machine. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. Virtual machines can run only OSs that are older than the physical machine's OS.
Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
