Pre-test Module 6

A deleted compressed file in NTFS is a. easier to discover by a forensics engineer than an uncompressed file because it is smaller. b. harder to discover by a forensics engineer than an uncompressed file because it needs decompression. c. is not possible. d. is something a forensics engineer never comes across.

b. harder to discover by a forensics engineer than an uncompressed file because it needs decompression.

The unallocated clusters on a disk a. are empty. b. may have data from previous allocation. c. are of no interest to forensic engineer. d. are of no interest to operating system.

b. may have data from previous allocation.

Logging, File permissions, compression, encryption and alternate data streams are some of the properties of a. NTSF b. FAT12 c. FAT16 d. FAT32

a. NTSF

In NTFS there are files that store the metadata for files. a. True b. False

a. True

Tracks in a hard disk are defined by the manufacturer. A track consists of a. many sectors. b. one sector. c. one cluster. d. less than one sector.

a. many sectors.

Data is written to or read from the hard disk a. sector (typically 512 bytes) at a time. b. byte at a time. c. word at a time. d. bit at a time.

a. sector (typically 512 bytes) at a time.

The following clusters in FAT16 are unusable by a programmer because they are unaddressable. They are used for information for the operating system, such as media type. a. the first two clusters (0 and 1). b. the last two clusters (511-512). c. any two clusters. d. secret clusters.

a. the first two clusters (0 and 1).

Slack space is the a. unused allocated space to files. b. used allocated space to files. c. space of no interest to hacker. d. space of no interest to forensic engineer.

a. unused allocated space to files.

The partition table in the master boot record (MBR) is stored at byte numbers a. 0-445 b. 446-509 c. 510-511 d. outside of the disk.

b. 446-509

$MFT file is present in all file systems. a. True b. False

b. False

The file encryption key in encrypting file system is encrypted a. using only the users public key so that only s/he can decrypt it to recover the file b. using users and a recovery agent's public keys so that only these keys can decrypt it to recover the file c. using only the users private key so that only s/he can decrypt it to recover the file d. using only the OS public key so that only the OS can decrypt it to recover the file

b. using users and a recovery agent's public keys so that only these keys can decrypt it to recover the file

In FAT12, FAT16 and FAT32, the number (12, 16, 32) is a. the year they were introduced. b. number of bytes per sector. c. number of bits to refer to clusters. d. the FAT versions.

c. number of bits to refer to clusters.

The encrypting file system (EFS) stores the encryption key. a. publicly. b. separately from the file on the disk. c. with the file. d. on the master boot record because it is inaccessible by the user.

c. with the file.

The FAT16 system has a signature 0x55AA in bytes 510-511. FAT32 has a. the same signature at the same location. b. same signatures but at byte numbers 508-511. c. different signatures at the same byte location (510-511). d. 0x55AA0000 at bytes 508-511.

d. 0x55AA0000 at bytes 508-511.

This file system always stores a value of 0x55AA in byte number 510 and 511. a. EXT1 b. NTFS c. UFS2 d. FAT

d. FAT

Alternate data stream was introduced to support a. Windows NTFS files. b. FAT32 files. c. EFS files. d. Macintosh files.

d. Macintosh files.

Recovering files in FAT is not easy when a. they are fragmented. b. clusters have been over-written. c. there are missing entries and/or directories. d. any of the above.

d. any of the above.

In FAT16, 0xFFF7 marks a. end of file. b. end of cluster. c. good cluster. d. bad cluster.

d. bad cluster.

On a hard disk , space is allocated to a file in terms of a. bits. b. bytes. c. sectors. d. clusters.

d. clusters.

On a hard disk drive a. tracks and sectors are logical while clusters and partitions are physical. b. tracks and sectors are physical and also clusters and partitions are physical. c. tracks and sectors are logical and so are clusters and partitions. d. tracks and sectors are physical while clusters and partitions are logical.

d. tracks and sectors are physical while clusters and partitions are logical.