ITN 276 quiz 8
A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.
virtual machine
The Windows __________ log contains successful and unsuccessful logon events.
Security
__________ is a storage controller device driver in Windows.
Ntbootdd.sys
Which tool uses a brute-force approach to enumerating processes and threads in a memory dump from a Windows system?
PTFinder
What is the definition of dump?
A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper
The program that handles tasks like creating threads, console windows, and so forth in Windows is __________.
Crss.exe
In Windows, file permissions never change when moving a file.
False
In modern versions of Windows, you can view event logs in File Explorer.
False
The Windows ForwardedEvents log has both successful and unsuccessful logon events recorded.
False
The Windows Security log contains events logged by Windows system components.
False
The Windows Registry is organized into five sections. The __________ section stores information about drag-and-drop rules, program shortcuts, the user interface, and related items.
HKEY_CLASSES_ROOT (HKCR)
The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.
HKEY_LOCAL_MACHINE (HKLM)
The Windows Registry is organized into five sections. The __________ section is critical to forensic investigations. It has profiles for all the users, including their settings.
HKEY_USERS (HKU)
__________ is a Windows file that is an interface for hardware.
Hal.dll
What is the definition of stack (S)?
Memory that is allocated based on the last-in, first-out (LIFO) principle
Which tool can tell you system uptime (time since last reboot), operating system details, and other general information about a Windows system? PsList
PsInfo
Which tool lets you view process and thread statistics on a Windows system?
PsList
The Windows swap file is used to augment the __________.
RAM
What is the repository of all the information on a Windows system?
Registry
Marty is investigating the computer of a cyberstalking suspect. He wanted to check the suspect's browsing history in Microsoft Internet Explorer but it had already been erased. Where else can he look on the computer for browsing history information?
The index.dat file
What is meant by "slurred image"?
The result of acquiring a file as it is being updated
A virtual machine is a software program that appears to be a physical computer and executes programs as if it were a physical computer.
True
Alternate data streams are essentially a method of attaching one file to another file, using the NTFS file system.
True
Information about USB devices that have been connected to a Windows computer is stored the Windows Registry.
True
Regarding the Windows boot process, the term power-on self test (POST) refers to a brief hardware test that the basic input/output system (BIOS) performs upon boot-up.
True
Some malware on Windows computers modify the Windows Registry.
True
The Windows Applications and Services log stores events from a single application or component rather than events that might have system-wide impact.
True
The Windows swap file is also referred to as virtual memory.
True
The passphrase needed to connect to a Wi-Fi network on a Windows computer is stored in the Windows Registry.
True
Toolkits that collect volatile memory data rely on the underlying operating system, which is a drawback.
True
Userdump is a command-line tool for dumping basic user information from Windows-based systems.
True
When an individual connects to a wireless network, the service set identifier (SSID) is logged as a preferred network connection.
True
When dumping memory on a Windows computer, the forensic examiner may have to work with two types of memory: heap (h) and stack (S).
True
You can install 32-bit programs on a 64-bit system.
True
__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.
Volatile memory analysis
Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment
data consistency
The Windows Registry is organized into five sections referred to as __________. data streams
hives
The Windows program that handles security and logon policies is __________.
lsass.exe
A Windows program that queries the computer for basic device or configuration data like time/date from CMOS, system bus types, ports, and so on is __________.
ntdetect.com
On a Windows computer, the __________ is a special place on the hard drive where items from memory can be temporarily stored for fast retrieval.
swap file