Quiz 5 INSC 170
Concentric circles on a disk platter where data is located
tracks
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.
true
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
true
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
true
The first 5 bytes (characters) for all MFT records are FILE.
true
The type of file system an OS uses determines how data is stored on the disk.
true
An international data format
unicode
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.
virtual machine
____ refers to the number of bits in one square inch of a disk platter.
Areal density
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
Registry
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.
True
____ is a core Win32 subsystem DLL file.
User32.sys
The space between each track
Track density
As data is added, the MFT can expand to take up 75% of the NTFS disk.
false
From a network forensics standpoint, there are no potential issues related to using virtual machines.
false
Typically, a virtual machine consists of just one file.
false
Gives an OS a road map to data on a disk
file system
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
chapter 5 The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called_____
Data Runs
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder.
Device drivers
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.
EFS
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
On an NTFS disk, immediately after the Partition Boot Sector is the ____.
MFT
____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
NTBootdd.sys
____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.
NTDetect.com
____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.
NTFS
___ is Windows XP system service dispatch stubs to executables functions and internal support functions
Ntdll.dll
____ is the physical address support program for accessing more than 4 GB of physical RAM.
Ntkrnlpa.exe
____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks.
ZBR
Ways data can be appended to existing files
alternate data streams
Microsoft's utility for protecting drive data
bitlocker
____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version.
boot.ini
A ____ is a column of tracks on two or more disk platters.
cylinder
Unused space in a cluster between the end of an active file's content and the end of the cluster
drive slack
Records in the MFT are called ____.
metadata
Microsoft's move toward a journaling file system
nfts
The first data set on an NTFS disk, which starts at sector[0] of the disk and can expand to 16 sectors
partition boot sector
The unused space between partitions
partition gap
The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
recovery certificate
