Working with Windows and CLI Systems (Module 5 Review) - [Computer Forensics]

What feature of NTFS systems can be used to obscure information that might be used as evidence in an investigation?

ADS

NTFS data encryption is achieved with which of the following technologies?

EFS

Which of the following is NOT an example of a Microsoft filesystem?

FAT28

BIOS boot firmware was developed to provide better protection against malware than EFI does developed?

False

Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible.

False

EFS can encrypt which of the following?

Files, folders, and volumes

Which of the following keeps a record of attached hardware, user preferences, network connections, and installed software?

Registry

Virtual machines have which of the following limitations when running on a host computer?

Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

List two features NTFS has that FAT does not.

Unicode characters and better security

Clusters in Windows always begin numbering at what number?

2

In FAT32, a 123-KB file uses how many sectors?

246

How many sectors are typically in a cluster on a disk drive?

4 or more

On a Windows system, sectors typically contain how many bytes?

512

Which of the following is used to store information about disk partitions?

MBR

What does the Ntuser.dat file contain?

MRU files list

Which of the following Windows 8 files contains user-specific information?

Ntuser.dat

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

The file is unencrypted automatically.

What is the space on a drive called when a file is deleted?

Unallocated space

A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT.

True

An image of a suspect drive can be loaded on a virtual machine.

True

CHS stands for cylinders, heads, and sectors.

True

Device drivers contain instructions for the OS on how to interface with hardware devices.

True

File and directory names are some of the items stored in the FAT database.

True

In NTFS, files smaller than 512 bytes are stored in the MFT.

True

MFT stands for Master File Table.

True