Computer forensics - quiz 5
The ??? command insets a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry a. delete b. edit c. update d. clear
a
What does the MTF header field at offset 0x00 contain? a. the MFT record identifier FILE b. the size of the MFT record c. the length of the header d. the update sequence array
a
Which of the following commands creates an alternate data stream? a. echo text > myfile. txt:syream_name b. ads create myfile.txt(stream_name) "text" c. cat text myfile.txt=stream_name d. echo text
a
A typical disk drive stores how many bytes in a single sector? a. 8 b. 512 c. 1024 d. 4096
b
Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers
b
The ReFs storage engine uses a ??? sort method for fast access to large data sets. a. A+-tree b. B+-tree c. reverse d. numerical
b
What hexadecimal code below identifies an NTFS file system in the partition table? a. 05 b. 07 c. 1B d. A5
b
When using the file allocation table (FAT), where is the FAT database typically written to? a. the innermost track b. the outermost track c. the first sector d. the first partition
b
a master boot record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE
b
Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. disk track recording (DTR) b. zone based areal density (ZBAD) c. zone bit recording (ZBR) d. cylindrical head calculation (CHC)
c
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital extended capacity (SDCX), and memory sticks: a. FAT12 b. FAT32 c. exFAT d. VFAT
c
What command below can be used to decrypt EFS files? a. cipher b. copy c. efsrecvr d. decrypt
c
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MgyMirr b. $TransAct c. $LogFile d. $Backup
c
What registry file contains installed programs' settings and associated usernames and passwords? a. default.dat b. software.dat c. sam.dat d. ntuser.dat
c
What registry file contains user account management and security settings? a. default.dat b. software.dat c. SAM.dat d Ntuser.dat
c
What term below describes a column of tracks on two or more disk platters? a. sector b. cluster c. cylinder d. header
c
What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b. trigonometry c. geometry d. mapping
c
the ??? branches in HKEY_LOCAL_MACHINE/software consist of SAM, security, components, and system a. registry b. storage c. hive d. tree
c
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive? a. PP full disk encryption b. voltage SecureFile c. BestCrypt d. TrueCrypt
d
Which of the following is not a valid configuration of Unicode? a. UTF-8 b. UTF-16 c. UTF-32 d. UTF-64
d
A computer stores system configuration and date and time information in the BIOS when power to the system is off t/f
false
Each MFT record starts with a header identifying it as a resident or nonresident attribute t/f
false
FAT32 is used on older Microsoft OSs, such as ms-dos 3.0 through 6.22, windows 95 (first release), and windows NT 3.3 and 4.0 t/f
false
Someone who wants to hide data can create hidden partitions or void-large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities t/f
false
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space t/f
true