Chapter 05: Working with Windows and CLI Systems
____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
NTBootdd.sys
____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.
NTDetect.com
Microsoft's move toward a journaling file system
NTFS
____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.
NTFS
____ is Windows XP system service dispatch stubs to executables functions and internal support functions.
Ntdll.dll
____ is the physical address support program for accessing more than 4 GB of physical RAM.
Ntkrnlpa.exe
The first data set on an NTFS disk, which starts at sector[0] of the disk and can expand to 16 sectors
Partition Boot Sector
The unused space between partitions
Partition gaps
The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
Recovery certificate
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
Registry
Ways data can be appended to existing files
Alternate Data Streams
____ refers to the number of bits in one square inch of a disk platter.
Areal density
Microsoft's utility for protecting drive data
BitLocker
____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version.
Boot.ini
On an NTFS disk, immediately after the Partition Boot Sector is the ____.
MFT
Records in the MFT are called ____.
Metadata
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
A ____ is a column of tracks on two or more disk platters.
Cylinder
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.
Data runs
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder.
Device drivers
Unused space in a cluster between the end of an active file's content and the end of the cluster
Drive slack
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.
EFS
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
As data is added, the MFT can expand to take up 75% of the NTFS disk.
False
From a network forensics standpoint, there are no potential issues related to using virtual machines.
False
The first 5 bytes (characters) for all MFT records are FILE.
False
Typically, a virtual machine consists of just one file.
False
Gives an OS a road map to data on a disk
File system
The space between each track
Track density
Concentric circles on a disk platter where data is located
Tracks
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.
True
The type of file system an OS uses determines how data is stored on the disk.
True
An international data format
Unicode
____ is a core Win32 subsystem DLL file.
User32.sys
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.
Virtual machine
____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks.
ZBR
