Computer Forensics Chapter 8
What is meant by slurred image?
the result of acquiring a file as it is being updated
Which of the following is the definition of power-on self test (POST)?
this is a brief hardware test the BIOS performs upon boot-up
A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.
virtual machine
All versions of Windows support logging. The __________ log(s) contains events logged by Windows system components. This includes events like driver failures.
System
Which of the following is a repository of all the information on a Windows system?
registry
The Swap File is also referred to as virtual memory.
True
__________ is a storage controller device driver in Windows.
Ntbootdd.sys
A number of tools and even some Windows utilities are available that can help you to analyze live data on a Windows system. __________ enumerates processes and threads in a memory dump. It uses a brute-force approach to enumerating the processes and uses various rules to determine whether the information is either a legitimate process or just bytes.
PTFinder
The program that handles tasks like creating threads, console windows, and so forth in Windows is __________.
Crss.exe
A command-line operating system is the definition of which of the following options?
Disk Operating System (DOS)
Which of the following is the definition of heap (H)?
Dynamic memory for a program comes from the heap segment; a process may use a memory allocator such as malloc to request dynamic memory
All versions of Windows support logging. The Application log records both successful and unsuccessful logon events.
False
All versions of Windows support logging. The Security log contains events logged by Windows system components.
False
All versions of Windows support logging. The System log is used to store events collected from remote computers.
False
Hive refers to memory that is allocated based on the last-in, first-out (LIFO) principle.
False
Most people became familiar with Windows with the release of Windows 95.
False
The ForwardedEventslog has both successful and unsuccessful logon events recorded.
False
The term Disk Operating System (DOS) describes memory is allocated based on the last-in, first-out (LIFO) principle.
False
The term dump refers to the act of ensuring the data that is extracted is consistent.
False
The term master boot record (MBR) is a brief hardware test thatthe BIOS performs upon boot-up.
False
Windows 98 was the first Windows version to have a firewall.
False
The Windows Registry is organized into five sections. The __________ section stores information about drag-and-drop rules, program shortcuts, the user interface, and related items.
HKEY_CLASSES_ROOT (HKCR)
The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.
HKEY_LOCAL_MACHINE (HKLM)
The Windows Registry is organized into five sections. The __________ section is very critical to forensic investigations. It has profiles for all the users, including their settings.
HKEY_USERS (HKU)
__________ is a Windows file that is an interface for hardware.
Hal.dll
A number of tools and even some Windows utilities are available that can help you to analyze live data on a Windows system. __________ can tell you system uptime (time since last reboot), operating system details, and other general information about the system.
PsInfo
A number of tools and even some Windows utilities are available that can help you to analyze live data on a Windows system. Use __________ to view process and thread statistics on a system.
PsList
The Windows swap file is used to augment the __________.
RAM
A dump is a complete copy of every bit of memory or cache recorded in permanent storage or printed on paper.
True
A virtual machine is a software program that appears to be a physical computer and executes programs as if it were a physical computer.
True
All versions of Windows support logging. The Applications and Services log is used to store events from a single application or component rather than events that might have system-wide impact.
True
All versions of Windows support logging. The System log contains events logged by Windows system components. This includes events like driver failures.
True
Alternate data streams are essentially a method of attaching one file to another file, using the NTFS file system.
True
Memory allocated based on the last-in first-out (LIFO) principle is the definition of stack (S).
True
The Windows Registry is a repository of all the information on a Windows system.
True
The term power-on self test (POST) refers to a brief hardware test that the BIOS performs upon boot-up.
True
Userdump is a command-line tool for dumping basic user info from Windows-based systems.
True
Volatile memory analysis is a live system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.
True
When an individual connects to a wireless network, the service set identifier (SSID) is logged as a preferred network connection. This information can be found in the Windows Registry.
True
Windows 95 and 98 used the FAT32 file system.
True
__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.
Volatile memory analysis
Which of the following is the definition of dump?
a complete copy of every bit of memory or cache recorded in permanent storage or printed on paper
The basic instructions stored on a chip for booting up the computer is the definition of __________.
basic input/output system (BIOS)
Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment.
data consistency
What term is used to describe one of the five sections of the Windows Registry?
hive
The Windows Registry is organized into five sections referred to as __________.
hives
The Windows program that handles security and logon policies is __________.
lsass.exe
Which of the following is the definition of stack (S)?
memory is allocated based on the last-in, first-out (LIFO) principle
Windows has a number of files. A program that queries the computer for basic device/configuration data like time/date from CMOS, system bus types, disk drives, ports, and so on is __________.
ntdetect.com
What name is given to the result of acquiring a file as it is being updated?
slurred image
Essentially, a __________ is a special place onthe hard drive where items from memory can be temporarily stored for fast retrieval.
swap File
Which of the following is the definition of basic input/output system (BIOS)?
the basic instructions stored on a chip for booting up the computer