Computer Forensics, Chapter 5
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
$LogFile
What hexadecimal code below identifies an NTFS file system in the partition table?
07
A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
0x1BE
The ReFS storage engine uses a __________ sort method for fast access to large data sets.
B+ tree
A file that specifies the Windows path installation and a variety of other startup options.
Boot.ini
What term below describes a column of tracks on two or more disk platters?
Cylinder
A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.
Encryption File System
A computer stores system configuration and date and time information in the BIOS when power to the system is off.
False
FAT32 is used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.
False
The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use this to organize files on a disk so that the OS can find the files it needs.
File Allocation Table (FAT)
What term is used to describe a disk's logical structure of platters, tracks, and sectors?
Geomerty
The file system that Microsoft created to replace FAT. It uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system.
NT File system
A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
NTBootdd.sys
A 16-bit program that identifies hardware components during startup snd sends the information to Ntldr.
NTDetect.com
A new file system developed for Windows Server 2012. It allows increased stability for disk storage and improved features for data recovery and error checking.
Resilient File System (RFS)
What registry file contains user account management and security settings?
SAM.dat
When using the File Allocation Table (FAT), where is the FAT database typically written to?
The outer most track
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
True
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?
TrueCrypt
Which of the following is not a valid configuration of Unicode?
UTF-64
Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks?
Zone Bit Recorder (ZBR)
Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
bootstrap process
The ___________ command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry.
delete
Which of the following commands creates an alternate data stream?
echo text > myfile.txt:stream_name
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:
exFAT
The device that reads and writes data to a disk drive
head
Addresses that allow the MFT to link to nonresident files are known as _______________.
logical cluster numbers
Concentric circles on a disk platter where data is stored
tracks
What does the MFT header field at offset 0x00 contain?
The MFT record identifier FILE
