Computer Forensics Chapter 8

Ace your homework & exams now with Quizwiz!

What is meant by slurred image?

the result of acquiring a file as it is being updated

Which of the following is the definition of power-on self test (POST)?

this is a brief hardware test the BIOS performs upon boot-up

A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.

virtual machine

All versions of Windows support logging. The __________ log(s) contains events logged by Windows system components. This includes events like driver failures.

System

Which of the following is a repository of all the information on a Windows system?

registry

The Swap File is also referred to as virtual memory.

True

__________ is a storage controller device driver in Windows.

Ntbootdd.sys

A number of tools and even some Windows utilities are available that can help you to analyze live data on a Windows system. __________ enumerates processes and threads in a memory dump. It uses a brute-force approach to enumerating the processes and uses various rules to determine whether the information is either a legitimate process or just bytes.

PTFinder

The program that handles tasks like creating threads, console windows, and so forth in Windows is __________.

Crss.exe

A command-line operating system is the definition of which of the following options?

Disk Operating System (DOS)

Which of the following is the definition of heap (H)?

Dynamic memory for a program comes from the heap segment; a process may use a memory allocator such as malloc to request dynamic memory

All versions of Windows support logging. The Application log records both successful and unsuccessful logon events.

False

All versions of Windows support logging. The Security log contains events logged by Windows system components.

False

All versions of Windows support logging. The System log is used to store events collected from remote computers.

False

Hive refers to memory that is allocated based on the last-in, first-out (LIFO) principle.

False

Most people became familiar with Windows with the release of Windows 95.

False

The ForwardedEventslog has both successful and unsuccessful logon events recorded.

False

The term Disk Operating System (DOS) describes memory is allocated based on the last-in, first-out (LIFO) principle.

False

The term dump refers to the act of ensuring the data that is extracted is consistent.

False

The term master boot record (MBR) is a brief hardware test thatthe BIOS performs upon boot-up.

False

Windows 98 was the first Windows version to have a firewall.

False

The Windows Registry is organized into five sections. The __________ section stores information about drag-and-drop rules, program shortcuts, the user interface, and related items.

HKEY_CLASSES_ROOT (HKCR)

The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.

HKEY_LOCAL_MACHINE (HKLM)

The Windows Registry is organized into five sections. The __________ section is very critical to forensic investigations. It has profiles for all the users, including their settings.

HKEY_USERS (HKU)

__________ is a Windows file that is an interface for hardware.

Hal.dll

A number of tools and even some Windows utilities are available that can help you to analyze live data on a Windows system. __________ can tell you system uptime (time since last reboot), operating system details, and other general information about the system.

PsInfo

A number of tools and even some Windows utilities are available that can help you to analyze live data on a Windows system. Use __________ to view process and thread statistics on a system.

PsList

The Windows swap file is used to augment the __________.

RAM

A dump is a complete copy of every bit of memory or cache recorded in permanent storage or printed on paper.

True

A virtual machine is a software program that appears to be a physical computer and executes programs as if it were a physical computer.

True

All versions of Windows support logging. The Applications and Services log is used to store events from a single application or component rather than events that might have system-wide impact.

True

All versions of Windows support logging. The System log contains events logged by Windows system components. This includes events like driver failures.

True

Alternate data streams are essentially a method of attaching one file to another file, using the NTFS file system.

True

Memory allocated based on the last-in first-out (LIFO) principle is the definition of stack (S).

True

The Windows Registry is a repository of all the information on a Windows system.

True

The term power-on self test (POST) refers to a brief hardware test that the BIOS performs upon boot-up.

True

Userdump is a command-line tool for dumping basic user info from Windows-based systems.

True

Volatile memory analysis is a live system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.

True

When an individual connects to a wireless network, the service set identifier (SSID) is logged as a preferred network connection. This information can be found in the Windows Registry.

True

Windows 95 and 98 used the FAT32 file system.

True

__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.

Volatile memory analysis

Which of the following is the definition of dump?

a complete copy of every bit of memory or cache recorded in permanent storage or printed on paper

The basic instructions stored on a chip for booting up the computer is the definition of __________.

basic input/output system (BIOS)

Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment.

data consistency

What term is used to describe one of the five sections of the Windows Registry?

hive

The Windows Registry is organized into five sections referred to as __________.

hives

The Windows program that handles security and logon policies is __________.

lsass.exe

Which of the following is the definition of stack (S)?

memory is allocated based on the last-in, first-out (LIFO) principle

Windows has a number of files. A program that queries the computer for basic device/configuration data like time/date from CMOS, system bus types, disk drives, ports, and so on is __________.

ntdetect.com

What name is given to the result of acquiring a file as it is being updated?

slurred image

Essentially, a __________ is a special place onthe hard drive where items from memory can be temporarily stored for fast retrieval.

swap File

Which of the following is the definition of basic input/output system (BIOS)?

the basic instructions stored on a chip for booting up the computer


Related study sets

Chapter 8, 9, 17, 18 Study Guide

View Set

Chapter 8 Articulations Mastering

View Set

Psychosocial Nursing: Exam 2 Practice Questions

View Set

Ch.10 Assessing for Violence PrepU

View Set