Computer Forensics Chapter 5

T or F. BIOS boot firmware was developed to provide better protection against malware than EFI does developed?

False

T or F. Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible.

False

EFS can encrypt which of the following? Files, folders, and volumes Certificates and private keys The global Registry Network servers

Files, folders, and volumes

Areal density refers to which of the following? Number of bits per disk Number of bits per partition Number of bits per square inch of a disk platter Number of bits per platter

Number of bits per square inch of a disk platter

How many sectors are typically in a cluster on a disk drive? 1 2 or more 4 or more 8 or more

4 or more

List two features NTFS has that FAT does not. MRU records and file attributes Master File Table and MRU records Unicode characters and better security MRU records and less fragmentation

Unicode characters and better security

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? 5% 10% 15% None of the above

none of the above

Clusters in Windows always begin numbering at what number? 1 2 3 4

2

In FAT32, a 123-KB file uses how many sectors? 123 185 246 255

246

On a Windows system, sectors typically contain how many bytes? 256 512 1024 2048

512

What does the Ntuser.dat file contain? File and directory names Starting cluster numbers File attributes MRU files list

MRU files list

Which of the following Windows 8 files contains user-specific information? User.dat Ntuser.dat System.dat SAM.dat

Ntuser.dat

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? The file can no longer be encrypted. EFS protection is maintained on the file. The file is unencrypted automatically. Only the owner of the file can continue to access it.

The file is unencrypted automatically.

What is the space on a drive called when a file is deleted? Disk space Unallocated space Drive space None of the above

Unallocated space

T or F. A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT.

True

T or F. An image of a suspect drive can be loaded on a virtual machine.

True

T or F. CHS stands for cylinders, heads, and sectors.

True

T or F. Device drivers contain instructions for the OS on how to interface with hardware devices.

True

T or F. File and directory names are some of the items stored in the FAT database.

True

T or F. In NTFS, files smaller than 512 bytes are stored in the MFT.

True

T or F. MFT stands for Master File Table.

True

Virtual machines have which of the following limitations when running on a host computer? Internet connectivity is restricted to virtual Web sites. Applications can be run on the virtual machine only if they're resident on the physical machine. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. Virtual machines can run only OSs that are older than the physical machine's OS.

Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.