Computer Forensics Chapter 5

​What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?

TrueCrypt

List two features NTFS has that FAT does not

Unicode characters security journaling

personal identity information (PII)

any information that can be used to create bank or credit carad accounts, such as name, home address, SSN, and driver's license number

Encrypting File Stystem

A public/private key encryption first used in Windows 2000 on NTFS-formatted disks.

American Standard Code for Information Interchange (ASCII)

An 8-bit coding scheme that assigns numberic values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols

Pagefile.sys

At startup, data and instruction code are moved in and out of this file to optimize te amount of physical RAM available during startup

​The ReFS storage engine uses a __________ sort method for fast access to large data sets.

B+tree

Windows file that specifies the path installation and a variety of other startup options

Boot.ini

Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.

False

List three items stored in the FAT database

File and directory name starting cluster numbers file attributes date and time stamps

device drivers

Files containing instructions for the OS for hardware devices, such as the keyboard, mouse and video card

EFS an encrypt which of the following

Files, folder and volumes

​The mechanism that reads and writes data to a disk drive

Head

BootSect.dos

If a machine has multiple booting OSs, NTLDR reads BootSect.dos, which is a hidden file, to determine the adress of each OS

Info2 file

In Windows NT through Vista, the control file for the Recycle Bin

bootstrap process

Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive

Device drivers contain what kind of information?

Instructions for the OS on how to interface with hardware devices

What's a virtual cluster number?

It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0

What does MTF stand for?

Master File Table

Device driver allowing OS to communicate with SCSI/ATA drives that aren't related to BIOS

NTBootdd.sys

16-bit program that identifies hardware components during startup and sends that information to NTLDR

NTDetect.com

Master File Table (MFT)

NTFS uses this database to store and link to files

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

No data from RAM is copied to RAM slack on a disk drive

Which of the ofllowing Windows 8 files contains user-specific information?

Ntuser.dat

Areal densit refers to which of the following?

Number of bits per square inch of a disk platter

The _____ registry file contains installed programs' settings and associated usernames and passwords?.

Software.dat

An image of a suspect drive can be loaded on a virtual machine?

TRUE

In NTFS, files smaller than 512 bytes are stored in the MFT.

TRUE

Why was EFI boot firmwar developed?

To provide better protection against malware than BIOS does

​Concentric circles on a disk platter where data is stored

Tracks

Drive slack is composed of the unused space in a cluster between the end of an active file's content and the end of the cluster.​

True

In FAT32, a 123 KB file uses how many sectors?

246

How many sectors are typically in a cluster on a disk drive?

4 or more

Sectors typically contain how many bytes?

512

NTDetect.com

A 16-bit program that identifies hardware components during startup and sends the information to Ntldr.

Boot.ini

A file that specifies the windows path installation and a variety of other startup options

Clusters in Windows always begin numbering at what number?

2

The ______ metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?.

$LogFile

What hexadecimal code below identifies an NTFS file system in the partition table?​

07

A Master Boot Record (MBR) partition table marks the first partition starting at what offset?​

0x1BE

What are the functions of a data run's field components in an MFT record?

Data runs have three components 1. declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components 2. sotres the number of clusters assigned to the data run 3. component contains the starting cluster address value (the LCN or the VCN)

Zone bit recording is how manufacturers ensure that the outer tracks store as much data as possible.

FALSE

Each MFT record starts with a header identifying it as a resident or nonresident attribute.​

False

logical cluster numbers (LCNs)

the numbers sequentially assigned to each cluster when an NTFS disk parition is created and formated

What happens when you copy an encrypted file form an EFS-enabled NTFS disk to an non-EFS disk or folder

The file is unencrypted automatically.

NT File System (NTFS)

The file system Microsoft created to replace FAT

Hal.dll

The hardware Abstraction layer dynamic link library allows the OS kernel to communicate with hardware

Ntoskrnl.exe

The kernel for the Windows NT family of OSs

File Alocation Table (FAT)

The original microsoft file structure database

​Most manufacturers use _______ in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks.

Zone Bit Recording (ZBR)

ISO image

a bootable file that can be copied to CD or DVD

unicode

a character code representation that's replacing ASCII

cylinder

a column of tracks on two or more disk platters

NTBootdd.sys

a device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS

geometry

a disk drive's internal organization of platters, tracks, and sectors

virtual hard disk(VHD)

a file representing a system's hard drive that can be booted in a virtualization application and allows running a suspect's computer ina virutal environment

parition

a logical drive on a disk

recovery certificte

a method NTFS uses so that a netowrk administrator can recover encrypted files if the fies' user/creator loses the private key encryption code

head and cylinder skew

a method manufacturers used to minimize lag time

Resilient File System (ReFS)

a new file system developed for windows server 2012

one-time passphrase

a password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encryted drive

NT Loader (Ntldr)

a program located in the root folder of the system partition that loads the OS

sector

a section on a track, typically made up of 512 bytes

registry

a windows database containing inforamtion about hardware and software configurations, netowrk connections, user preferences, setup information and other critical information

wear-leveling

an internal firmware feature used in solid state drives that ensures even wear of rea/writes for all memory cells

tracks

concentric circles on a disk platter where data is stored

__________ describes a column of tracks on two or more disk platters.

cylinder

What does CHS stand for?

cylinders, heads, sectors

The ___________ command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry.​

delete

The _________ commands ​creates an alternate data stream.

echo text > myfile.txt:stream_name

The ______ command can be used to decrypt EFS files.

efsrecvr

Encrypting File System (EFS) uses a private key method to encrypt files, folders, or disk volumes (partitions).

false

FAT32 is used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.​

false

The GRUB executable is the default Windows Boot Manager program, which controls boot flow and allows booting multiple OS'.

false

The purpose of a CA's Digital Certificate is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.​

false

___________ is used to describe a disk's logical structure of platters, tracks, and sectors.

geometry

​The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.

hive

attribute ID

in NTFS, and MFT record field containing metadata abut the file or folder and the file's data or links to the file's data

metadata

in NTFS, this term refers to inforamtion stored in the MFT

private key

in encryption, the key used to decrypt the file

public key

in encryption, the key used to encrypt a file

data runs

luster addresses where files are store on a drive's partition outside the MFT records

Master Boot Record (MBR)

on windows and DOS computers, this boot disk file contains infomration about partitions on a disk and their locations, size, and other imporatant items

UTF-8 (unicode transformation format)

one of three formats unicode uses to translate languages for digital representation

When using the File Allocation Table, the FAT database is typically written to the _________.​

outermost track

unallocated disk space

partition disk space that isn't allocated to a file

cluster

storage allocation units composed of groups of sectors.

The MFT header field at offset 0x00 contains_________

the MFT record identifier FILE

physical addresses

the actual sectors in which files are located

head

the device that readsand writes data to a disk drive

High Performance File System (HPFS)

the file systme IBM uses for it OS/2 operating system

Partition Boot Sector

the first data set of an NTFS disk

zone bit recording (ZBR)

the method most manufacturers use to deal witha platter's inner tracks being shorter than the outer tracks

areal density

the number of bits per square inch of a disk platter

track density

the spavce betwen tracks on a dsk

RAM slack

the unused space between the end of the file and the end of the last sector used by the active file in the cluster

file slack

the unused space created when a file is saved

file system

the way files are stored on a disk

What does the Ntuser.dat file contain

this user-protected storage area contains the MRU files lsit and desktop configuration settings

Access Control List (ACL) information for all files and folders on the NTFS volume is stored in the $Secure metadata file.

true

The ReFS file system offers maximized data availability, improved data integrity, and scalability.

true

When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.​

true

What is the space on a drive called when a file is deleted?

unallocated space free space

drive slack

unued space in a cluster between the end of an active file and the end of the cluster .

partition gap

unused space or void between the primary partition and the first logical partition

Virtual machnes have which of the following limitations when running on a host computer?

virutal machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices

alternate data streams

ways in which data can be appended to a file and potentially obscure evidentiary data

virtual cluster number (VCN)

when a large file is saved in NTFS, it's assigned a logical cluster number speifying a location on the partion

logical addresses

when files are saved, they are assigned to clusters, which the osnumbers sequentially starting at 2