Module 5 Quiz - Forensics
NTFS data encryption is achieved with which of the following technologies? A) EFS B) ADS C) WDE D) ReFS
A) EFS
EFS can encrypt which of the following? A) Files, folders, and volumes B) Certificates and private keys C) The global Registry D) Network servers
A) Files, folders, and volumes
A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT. A) True B) False
A) True
An image of a suspect drive can be loaded on a virtual machine. A) True B) False
A) True
CHS stands for cylinders, heads, and sectors. A) True B) False
A) True
Device drivers contain instructions for the OS on how to interface with hardware devices. A) True B) False
A) True
File and directory names are some of the items stored in the FAT database. A) True B) False
A) True
In NTFS, files smaller than 512 bytes are stored in the MFT. A) True B) False
A) True
MFT stands for Master File Table. A) True B) False
A) True
Clusters in Windows always begin numbering at what number? A) 1 B) 2 C) 3 D) 4
B) 2
On a Windows system, sectors typically contain how many bytes? A) 256 B) 512 C) 1024 D) 2048
B) 512
What feature of NTFS systems can be used to obscure information that might be used as evidence in an investigation? A) MFT B) ADS C) EFS D) MBR
B) ADS
Which of the following is NOT an example of a Microsoft filesystem? A) FAT16 B) FAT28 C) NTFS D) FAT32
B) FAT28
BIOS boot firmware was developed to provide better protection against malware than EFI does developed? A) True B) False
B) False
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. A) True B) False
B) False
Which of the following Windows 8 files contains user-specific information? A) User.dat B) Ntuser.dat C) System.dat D) SAM.dat
B) Ntuser.dat
What is the space on a drive called when a file is deleted? A) Disk space B) Unallocated space C) Drive space D) None of the above
B) Unallocated space
In FAT32, a 123-KB file uses how many sectors? A) 123 B) 185 C) 246 D) 255
C) 246
How many sectors are typically in a cluster on a disk drive? A) 1 B) 2 or more C) 4 or more D) 8 or more
C) 4 or more
Which of the following is used to store information about disk partitions? A) ReFS B) MFT C) MBR D) EFS
C) MBR
Areal density refers to which of the following? A) Number of bits per disk B) Number of bits per partition C) Number of bits per square inch of a disk platter D) Number of bits per platter
C) Number of bits per square inch of a disk platter
Which of the following keeps a record of attached hardware, user preferences, network connections, and installed software? A) Master Boot Record B) Master File Table C) Registry D) System.dat file
C) Registry
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? A) The file can no longer be encrypted. B) EFS protection is maintained on the file. C) The file is unencrypted automatically. D) Only the owner of the file can continue to access it.
C) The file is unencrypted automatically.
List two features NTFS has that FAT does not. A) MRU records and file attributes B) Master File Table and MRU records C) Unicode characters and better security D) MRU records and less fragmentation
C) Unicode characters and better security
Virtual machines have which of the following limitations when running on a host computer? A) Internet connectivity is restricted to virtual Web sites. B) Applications can be run on the virtual machine only if they're resident on the physical machine. C) Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. D) Virtual machines can run only OSs that are older than the physical machine's OS.
C) Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
What does the Ntuser.dat file contain? A) File and directory names B) Starting cluster numbers C) File attributes D) MRU files list
D) MRU files list
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? A) 5% B) 10% C) 15% D) None of the above
D) None of the above