Chapter 05: Working with Windows and CLI Systems

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Microsoft's utility for protecting drive data

BitLocker

The unused space between partitions

Partition gap

Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user's original private key?

Recovery certificate

The type of file system an OS uses determines how data is stored on the disk.

True

An international data format

Unicode

Which filename refers to a core Win32 subsystem DLL file?

User32.sys

Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?

NTDetect.com

Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?

NTFS

Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?

Ntdll.dll

Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?

Ntkrnlpa.exe

The first data set on an NTFS disk, which starts at sector[0] of the disk and can expand to 16 sectors

Partition Boot Sector

What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment?

A virtual machine

Ways data can be appended to existing files

Alternate data streams

What term refers to the number of bits in one square inch of a disk platter?

Areal density

What are BitLocker's current hardware and software requirements?

BitLocker's current hardware and software requirements are as follows: * A computer capable of running Windows Vista or later (non-home editions) * The Trusted Platform Module (TPM) microchip, version 1.2 or newer * A computer BIOS compliant with Trusted Computing Group (TCG) * Two NTFS partitions for the OS and an active system volume with available space * The BIOS configured so that the hard drive boots first before checking the CD/DVD drive or other bootable peripherals

How are disk clusters numbered by Microsoft file structures?

Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT. The first sector of all disks contains a system area, the boot record, and a file structure database. The OS assigns these cluster numbers, which are referred to as logical addresses. They point to relative cluster positions; for example, cluster address 100 is 98 clusters from cluster address 2. Sector numbers, however, are referred to as physical addresses because they reside at the hardware or firmware level and go from address 0 (the first sector on the disk) to the last sector on the disk. Clusters and their addresses are specific to a logical disk drive, which is a disk partition.

What specifies the Windows XP path installation and contains options for selecting the Windows version?

Boot.ini

When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?

The registry

What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card?

Device drivers

What are records in the MFT called?

Inodedata

What is on an NTFS disk immediately after the Partition Boot Sector?

MFT

Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS?

NTBootdd.sys

Microsoft's move toward a journaling file system

NTFS

One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.

True

In the NTFS MFT, all files and folders are stored in separate records of how many bytes each?

1024

What term refers to a column of tracks on two or more disk platters?

Cylinder

What are some of the features offered by current whole disk encryption tools?

Current whole disk encryption tools offer the following features that computer forensics examiners should be aware of: * Preboot authentication, such as a single sign-on password, fingerprint scan, or token (USB device) * Full or partial disk encryption with secure hibernation, such as activating a password-protected screen saver * Advanced encryption algorithms, such as AES and IDEA * Key management function that uses a challenge-and-response method to reset passwords or passphrases

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?

Data runs

Unused space in a cluster between the end of an active file's content and the end of the cluster

Drive slack

What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?

EFS

Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?

FAT

As data is added, the MFT can expand to take up 75% of the NTFS disk.

False

From a network forensics standpoint, there are no potential issues related to using virtual machines.

False

The first 5 bytes (characters) for all MFT records are FILE.

False

Typically, a virtual machine consists of just one file.

False

Gives an OS a road map to data on a disk

File system

What are some of the components of a disk drive?

Following is a list of disk drive components: * Geometry—Geometry refers to a disk's logical structure of platters, tracks, and sectors. * Head—The head is the device that reads and writes data to a drive. There are two heads per platter that read and write the top and bottom sides. * Tracks—Tracks are concentric circles on a disk platter where data is located. * Cylinders—A cylinder is a column of tracks on two or more disk platters. Typically, each platter has two surfaces: top and bottom. * Sectors—A sector is a section on a track, usually made up of 512 bytes.

Describe some third-party disk encryption tools.

The following list describes some available third-party WDE utilities: • Endpoint Encryption (www.symantec.com/products/endpoint-encryption) can be used on PCs, laptops, and removable media to secure an entire disk volume. This tool works in Windows Server 2008 and later and Windows 7 and later. • Voltage SecureFile (www.voltage.com/products/data-security/hpe-securefile/) is designed for an enterprise computing environment. • Jetico BestCrypt Volume Encryption (www.jetico.com/products/personal-privacy/bestcrypt-volume-encryption) provides WDE for older MS-DOS and current Windows systems.

Summarize the evolution of FAT versions.

The following list summarizes the evolution of FAT versions: * FAT12—This version is used specifically for floppy disks, so it has a limited amount of storage space. It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB. * FAT16—To handle large disks, Microsoft developed FAT16, which is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.5 and 4.0. FAT16 supports disk partitions with a maximum storage capacity of 4 GB. * FAT32—When disk technology improved and disks larger than 2 GB were created, Microsoft released FAT32, which can access larger drives. * exFAT—Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks. The exFAT file system can store very large files, such as digital images, video, and audio files. * VFAT—Developed to handle files with more than eight-character filenames and three-character extensions; introduced with Windows 95. VFAT is an extension of other FAT file systems.

Briefly explain NTFS compressed files.

To improve data storage on disk drives, NTFS provides compression similar to FAT DriveSpace 3, a Windows 98 compression utility. With NTFS, you can compress files, folders, or entire volumes. With FAT16, you can compress only a volume. On a Windows NT or later system, compressed data is displayed normally when you view it in Windows Explorer or applications such as Microsoft Word. During an investigation, typically you work from an image of a compressed disk, folder, or file. Most forensics tools can uncompress and analyze compressed Windows data, including data compressed with the Lempel-Ziv-Huffman (LZH) algorithm and in formats such as PKZip, WinZip, and GNU gzip. However, forensics tools might have difficulty with third-party compression utilities, such as the .rar format. If you identify third-party compressed data, you need to uncompress it with the utility that created it.

What are logical cluster numbers (LCNs)?

To understand how data runs are assigned for nonresident MFT records, you should know that when a disk is created as an NTFS file structure, the OS assigns logical clusters to the entire disk partition. These assigned clusters, called logical cluster numbers (LCNs), are sequentially numbered from the beginning of the disk partition, starting with the value 0. LCNs become the addresses that allow the MFT to link to nonresident files (files outside the MFT) on the disk's partition.

The space between each track

Track density

Concentric circles on a disk platter where data is located

Tracks

Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.

True

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.

True

In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.

True

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.

True

Briefly describe how to delete FAT files.

When a file is deleted in Windows Explorer or with the MS-DOS delete command, the OS inserts a HEX E5 (0xE5) in the filename's first letter position in the associated directory entry. This value tells the OS that the file is no longer available and a new file can be written to the same cluster location. In the FAT file system, when a file is deleted, the only modifications made are that the directory entry is marked as a deleted file, with the HEX E5 character replacing the first letter of the filename, and the FAT chain for that file is set to 0. The data in the file remains on the disk drive. The area of the disk where the deleted file resides becomes unallocated disk space (also called "free disk space"). The unallocated disk space is now available to receive new data from newly created files or other files needing more space as they grow. Most forensics tools can recover data still residing in this area.

How can you make sure a subject's computer boots to a forensic floppy disk or CD?

When a subject's computer starts, you must make sure it boots to a forensically configured CD, DVD, or USB drive, because booting to the hard disk overwrites and changes evidentiary data. To do this, you access the CMOS setup by monitoring the computer during the bootstrap process to identify the correct key or keys to use. The bootstrap process, which is contained in ROM, tells the computer how to proceed. As the computer starts, the screen usually displays the key or keys, such as the Delete key, you press to open the CMOS setup screen. You can also try unhooking the keyboard to force the system to tell you what keys to use. The key you press to access CMOS depends on the computer's BIOS. If necessary, you can change the boot sequence so that the OS accesses the CD/DVD drive, for example, before any other boot device. Each BIOS vendor's screen is different, but you can refer to the vendor's documentation or Web site for instructions on changing the boot sequence.

How do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?

ZBR


Ensembles d'études connexes

ευκαρυωτικα κυτταρα

View Set

FIT Midterm Review, Microsoft PowerPoint Skills Project, Excel Unit D Terms, Excel: Chapter 3, ComSt 102 Exam 2, Excel 2010 - Comprehensive, Microsoft PowerPoint Fundamentals, PowerPoint Chapter 1, PowerPoint 2: Fundamentals, Powerpoint Lesson 1 and...

View Set

Mandatory Reporting of Child Abuse

View Set

Chapter 26 Fluid, Electrolyte, and acid-base balance

View Set