Module 5 Working with Windows and CLI Systems

Clusters in Windows always begin numbering at what number?

2

In FAT32, a 123-KB file uses how many sectors?

246

How many sectors are typically in a cluster on a disk drive?

4 or more

On a Windows system, sectors typically contain how many bytes?

512

NTDetect.com

A 16-bit program that identifies hardware components during startup and sends the information to Ntldr.

ISO image

A bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk.

Unicode

A character code representation that's replacing ASCII. It's capable of representing more than 64,000 characters and non-European-based languages.

cylinder

A column of tracks on two or more disk platters.

NTBootdd.sys

A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.

Geometry

A disk drive's internal organization of platters, tracks, and sectors.

virtual hard disk (VHD)

A file representing a system's hard drive that can be booted in a virtualization application and allows running a suspect's computer in a virtual environment.

Resilient File System (ReFS)

A file system developed for Windows Server 2012. It allows increased scalability for disk storage and has improved features for data recovery and error checking.

Boot.ini

A file that specifies the Windows path installation and a variety of other startup options.Boot.ini

partition

A logical drive on a disk. It can be the entire disk or part of the disk.

recovery certificate

A method NTFS uses so that a network administrator can recover encrypted files if the file's user/creator loses the private key encryption code.

head and cylinder skew

A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.

NT Loader (Ntldr)

A program in the root folder of the system partition that loads the OS. See also BootSect.dos.

Encrypting File System (EFS)

A public/ private key encryption first used in Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.

sector

A section on a track, typically made up of 512 bytes.

What feature of NTFS systems can be used to obscure information that might be used as evidence in an investigation?

ADS

American Standard Code for Information Interchange (ASCII)

An 8-bit coding scheme that assigns numeric values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.

wear-leveling

An internal firmware feature used in solid-state drives that ensures even wear of read/writes for all memory cells.

personal identity information (PII)

Any information that can be used to create bank or credit card accounts, such as name, home address, Social Security number, and driver's license number.

Pagefile.sys

At startup, data and instruction code are moved in and out of this file to optimize the amount of physical RAM available during startup.

data runs

Cluster addresses where files are stored on a drive's partition outside the MFT record. Data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to store the second and third components' content.

Tracks

Concentric circles on a disk platter where data is stored.

NTFS data encryption is achieved with which of the following technologies?

EFS

Virtual machines

Emulated computer environments that simulate hardware and can be used for running OSs separate from the physical (host) computer. For example, a computer running Windows Vista could have a virtual Windows 98 OS, allowing the user to switch between OSs.

Which of the following is NOT an example of a Microsoft filesystem?

FAT28

True or False: BIOS boot firmware was developed to provide better protection against malware than EFI does developed?

False

True or False: Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible.

False

Device drivers

Files containing instructions for the OS for hardware devices, such as the keyboard, mouse, and video card.

EFS can encrypt which of the following?

Files, folders, and volumes

BootSect.dos

If a machine has multiple booting OSs, NTLDR reads this hidden file to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr).

attribute ID

In NTFS, an MFT record field containing metadata about the file or folder and the file's data or links to the file's data.

Info2 file

In Windows NT through Vista, the control file for the Recycle Bin. It contains ASCII data, Unicode data, and date and time of deletion.

private key

In encryption, the key used to decrypt the file. The file owner keeps the private key.

public key

In encryption, the key used to encrypt a file; it's held by a certificate authority, such as a global registry, network server, or company such as VeriSign.

bootstrap process

Information stored in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.

Which of the following is used to store information about disk partitions?

MBR

What does the Ntuser.dat file contain?

MRU files list

Master File Table (MFT) / metadataIn NTFS

NTFS uses this database to store and link to files. It contains information about access rights, date and time stamps, system attributes, and other information about files.

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

None of the above

Which of the following Windows 8 files contains user-specific information?

Ntuser.dat

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

Master Boot Record (MBR)

On Windows and DOS computers, this boot disk file contains information about partitions on a disk and their locations, size, and other important items.

UTF-8 (Unicode Transformation Format)

One of three formats Unicode uses to translate languages for digital representation.

unallocated disk space

Partition disk space that isn't allocated to a file. This space might contain data from files that have been deleted previously.

Which of the following keeps a record of attached hardware, user preferences, network connections, and installed software?

Registry

clusters

Storage allocation units composed of groups of sectors. Clusters are 512, 1024, 2048, or 4096 bytes each.

Hal.dll

The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware.

physical addresses

The actual sectors in which files are located. Sectors reside at the hardware and firmware level.

head

The device that reads and writes data to a disk drive.

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

The file is unencrypted automatically.

High Performance File System (HPFS)

The file system IBM uses for its OS/2 operating system.

NT File System (NTFS)

The file system Microsoft created to replace FAT. NTFS uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system. NTFS is used mainly on newer OSs, starting with Windows NT.

Partition Boot Sector

The first data set of an NTFS disk. It starts at sector [0] of the disk drive and can expand up to 16 sectors.

Ntoskrnl.exe

The kernel for the Windows NT family of OSs.

zone bit recording (ZBR)

The method most manufacturers use to deal with a platter's inner tracks being shorter than the outer tracks. Grouping tracks by zones ensures that all tracks hold the same amount of data.

areal density

The number of bits per square inch of a disk platter.

logical cluster numbers (LCNs)

The numbers sequentially assigned to each cluster when an NTFS disk partition is created and formatted. The first cluster on an NTFS partition starts at count 0. LCNs become the addresses that allow the MFT to read and write data to the disk's nonresident attribute area. See also data runs and virtual cluster number (VCN).

File Allocation Table (FAT)

The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use the FAT to organize files on a disk so that the OS can find the files it needs. The variations are FAT12, FAT16, FAT32, VFAT, and FATX.

track density

The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.

RAM slack

The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the information was saved or not. RAM slack is found mainly in older Microsoft OSs.

file slack

The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.

file system

The way files are stored on a disk; gives an OS a road map to data on a disk.

True or False: A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT.

True

True or False: An image of a suspect drive can be loaded on a virtual machine.

True

True or False: CHS stands for cylinders, heads, and sectors.

True

True or False: Device drivers contain instructions for the OS on how to interface with hardware devices.

True

True or False: File and directory names are some of the items stored in the FAT database.

True

True or False: In NTFS, files smaller than 512 bytes are stored in the MFT.

True

True or False: MFT stands for Master File Table.

True

What is the space on a drive called when a file is deleted?

Unallocated space

List two features NTFS has that FAT does not.

Unicode characters and better security

drive slack

Unused space in a cluster between the end of an active file and the end of the cluster. It can contain deleted files, deleted e-mail, or file fragments. Drive slack is made up of both file slack and RAM slack. See also file slack and RAM slack.

partition gap

Unused space or void between the primary partition and the first logical partition.

Virtual machines have which of the following limitations when running on a host computer?

Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

alternate data streams

Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, alternate data streams become an additional file attribute.

virtual cluster number (VCN)

When a large file is saved in NTFS, it's assigned a logical cluster number specifying a location on the partition. Large files are referred to as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the additional space needed to store the file. The LCN is a physical location on the NTFS partition; VCNs are the offset from the previous LCN data run. See also data runs and logical cluster numbers (LCNs).

logical addresses

When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers.