Forensics Exam 1 - Quiz 6
____ refers to the number of bits in one square inch of a disk platter.
Areal density
____ is a batch file containing customized settings for MS-DOS that runs automatically.
Autoexec.bat
____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version.
Boot.ini
The ____ file provides a command prompt when booting to MS-DOS mode (DPMI).
Command.com
____ is a text file containing commands that typically run only at system startup to enhance the computer's DOS configuration.
Config.sys
ways data can be appended to existing files
Data streams
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder.
Device drivers
unused space in a cluster between the end of an active file and the end of the cluster
Drive slack
When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____.
EFS
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
As data is added, the MFT can expand to take up 75% of the NTFS disk. (T/F)
False
The first 5 bytes (characters) for all MFT records are MFTR0. (T/F)
False
gives an OS a road map to data on a disk
File system
______ refers to a disk's structure of platters, tracks, and sectors.
Geometry
On an NTFS disk, immediately after the Partition Boot Sector is the ____.
MFT
On Windows and DOS computer systems, the ______ stores information about partitions on a disk and their locations, size, and other important items.
Master Boot Record
____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
NTBootdd.sys
Microsoft's move toward a journaling file system
NTFS
____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista.
NTFS
On an NTFS disk, the first data set is the ______ which starts at sector 0 of the disk
Partition Boot Sector
the unused space between partitions
Partition gap
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
Registry
the space between each track
Track density
concentric circles on a disk platter where data is located
Tracks
Data streams can obscure valuable evidentiary data, intentionally or by coincidence. (T/F)
True
One way to examine a partition's physical level is to use a disk editor, such as Norton DiskEdit, WinHex, or Hex Workshop. (T/F)
True
The type of file system an OS uses determines how data is stored on the disk. (T/F)
True
an international data format
Unicode
____ is how most manufacturers deal with a platter's inner tracks being shorter than its outer tracks.
ZBR
In Microsoft file structures, sectors are grouped to form ______, which are storage allocation units of one or more sectors.
clusters
A ____ is a column of tracks on two or more disk platters.
cylinder
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are referred to as ____.
data runs
Drive slack includes RAM slack (found primarily in older Microsoft OSs) and______ slack.
file slack
Records in the MFT are referred to as ____.
metadata
The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there's a problem with the user's original private key.
recovery certificate
A ____ allows you to create a representation of another computer on an existing physical computer.
virtual machine
