5 - Windows File Systems and Logging

Question 1

When was the FAT file system initially used?

Answer 1

The File Allocation Table (FAT) was initially used on PC operating systems such as MS-DOS and early versions of Windows.

Question 2

Name 3 advantages of the FAT file system.

Answer 2

1. It is simple
2. It is robust
3. It offers good performance, especially in embedded applications

Question 3

The FAT system is made up of four sectors.

Describe what the Boot Sector contains.

Answer 3

Boot Sector - Contains startup code.

Question 4

The FAT system is made up of four sectors.

Describe what the File Allocation Table contains.

Answer 4

File Allocation Table - This contains the data map. There are also multiple entries for redundancy.

Question 5

The FAT system is made up of four sectors.

Describe what the Root Directory contains.

Answer 5

Root Directory - Stores information about the files and directories which are located in the root directory.

Question 6

The FAT system is made up of four sectors.

Describe what the File Data Region contains.

Answer 6

File Data Region - The actual stored data.

Question 7

Name the 3 versions of FAT file systems.

Answer 7

1. FAT12
2. FAT16
3. FAT32

Question 8

What is the FAT file system named for?

Answer 8

The FAT file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume.

Question 9

How many copies of the File Allocation Table are kept?

Answer 9

To protect the volume, two copies of the table are kept, in case one becomes damaged.

Question 10

The file allocation tables and the root folder must be stored in a fixed location.

[True/False]

Answer 10

TRUE.

Note: the file allocation tables and the root folder must be stored in a fixed location so that the files needed to start the system can be correctly located.

Question 11

What is NTFS an acronym for?

Answer 11

New Technology File System

Question 12

What is the maximum file size for FAT32?

Answer 12

4 GB

Question 13

What is the maximum file size for NTFS?

Answer 13

256 TB

Question 14

Name 4 improvements of the NTFS files system over its predecessors.

Answer 14

1. Sparse file support
2. Disk usage quotas
3. Hard links
4. File-level encryption

Question 15

What is the function of the Master File Table (MFT)?

Answer 15

The master file table (MFT) keeps track of all files, directories, and meta file data within the NTFS file system.

Question 16

The MFT is an index of all files on an NTFS volume.

[True / False]

Answer 16

True

Note: the MFT is an index of all files on an NTFS volume, containing information about the file name, its attributes, and the location of its sub-folders.

Question 17

What CLI command provides information on the Windows file system being used?

Answer 17

fsutil fsinfo volumeinfo C:

Question 18

What is the theoretical maximum hard drive size NTFS can support?

Answer 18

16 EB

Note: one Exabyte (EB) is equal to 1,000 Petabytes or one billion gigabytes (GB).

Question 19

State 5 advantages of using NTFS

Answer 19

1. Very large files
2. Different file permissions and encryption
3. Automatically restores consistency by using log file and checkpoint information
4. File compression when running out of disk space
5. Establishing disk quotas, limiting space users can use

Question 20

An MFT will have a minimum one record for every file and directory on the NTFS logical volume.

[TRUE / FALSE]

Answer 20

TRUE

Question 21

NTFS reserves the first 16 records of the table for __?

Answer 21

special information

Question 22

What does the first record of the MFT describe?

Answer 22

The first record of this table describes the master file table itself, followed by a MFT mirror record.

Question 23

If the first MFT record is corrupted, what does NTFS read?

Answer 23

NTFS reads the second record to find the MFT mirror file, whose first record is identical to the first record of the MFT.

Question 24

Where are the data segments for both the MFT and MFT mirror file recorded?

Answer 24

The boot section

Question 25

What are “Logs”?

Answer 25

Logs are records of events that happen in your computer, either by a person or by a running process.

Question 26

What can Logs help with?

Answer 26

Logs can help track what has happened and troubleshoot problems.

Question 27

What interface displays the Windows event logs?

Answer 27

the Windows Event Viewer

Question 28

What provides a standard, centralized way for applications (and the operating system) to record important software and hardware events?

Answer 28

Event logging

Question 29

What keeps track of all files, directories, and meta file data?

Answer 29

the MFT

Question 30

When was Windows Event Logging introduced?

Answer 30

Windows event logging was introduced in Windows NT operating system (version 3.1) in 1993.

Question 31

Name the 3 Windows logs that came in the first version of Windows event logging

Answer 31

1. Application event log
2. System event log
3. Security event log

Question 32

Modern versions of Windows come with more than a hundred types of Windows event logs.

[True / False]

Answer 32

True

Question 33

What does the Application log contain?

Answer 33

The Application log contains events logged by applications or programs.

Example - a database program might record a file error in the application log.

Question 34

What are Application logs commonly useful for?

Answer 34

Application logs are commonly useful for application support teams.

Question 35

What does the Security log contain?

Answer 35

The Security log contains events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects.

Question 36

Can Administrators specify what events are recorded in the Security Log?

Answer 36

YES

For example, if an Admin has enabled logon auditing, attempts to log on to the system are recorded in the security log.

Question 37

What are Security logs essential for?

Answer 37

Security logs are essential for system and security administrators and forensic examiners.

Question 38

What do the System logs contain?

Answer 38

The System log contains events logged by Windows system components.

Example - the failure of a driver or other system component to load during startup is recorded in the system log.

Question 39

Who / what determines the event types logged by System logs?

Answer 39

The event types logged by system components are predetermined by Windows.

Question 40

Who depends greatly upon System Logs?

Answer 40

System logs are essential for system administrators and technicians.

Question 41

What can be determined using Log files?

Answer 41

By using log files, you are able to determine the causes of a certain error or security breaches.

This is because the log files record data concurrently with the activities of the information system.

Question 42

From a security point of view, what is the purpose of Logs?

Answer 42

From a security point of view, the purpose of a log is to act as a red flag when something bad is happening.

Question 43

Name the 5 breakdowns of log types.

Hint: Log types can be further broken down into….

Answer 43

1. Errors
2. Warnings
3. Information
4. Success audit
5. Failure audits

Question 44

What are the 4 main views of Event Viewer?

Answer 44

1. Custom Views
2. Windows Logs
3. Application
4. Services logs Subscriptions

Question 45

What does the “event level” of a Log denote?

Answer 45

All logs are assigned an event level. This event level denotes the severity or seriousness of any issues noted in the logs.

Question 46

What are the 5 Event Level categories?

Answer 46

1. Critical
2. Error
3. Warning
4. Information
5. Verbose

Question 47

What are 2 Event Level types associates only with the Security category?

Answer 47

1. Audit Success
2. Audit Failure

Question 48

What are the 5 most common Log categories?

Answer 48

1. Application
2. Security
3. Setup
4. System
5. Forward Events

Question 49

What does the “Forward Events” category of Logs do?

Answer 49

Forward Events - Logs from a remote server, forwarded to this server

Question 50

What does the “System” category of Logs do?

Answer 50

System - Logs linked to up-time, service status changes, and other messages generated by the operating system

Question 51

What does the “Setup” category of Logs do?

Answer 51

Setup - Logs associated with Windows install and updates

Question 52

What CLI command allows an Admin to look through Logs?

Answer 52

C:\Windows\System32\winevt\Logs

Question 53

Name the 5 main things to look for in Logs with Log Managers.

Answer 53

1. Password changes
2. Unauthorized logins
3. Login failures
4. New login events
5. Malware detection

Question 54

What is the Task Scheduler used for?

Answer 54

The Task Scheduler is a tool that allows predefined actions to be automatically executed whenever a certain set of conditions is met.

Question 55

When referring to Task Scheduler, what is a “Task”?

Answer 55

Task alludes to activity (or activities) taken because of trigger(s).

Question 56

Which log category is associated with Windows install and updates?

Answer 56

Setup

Question 57

On Windows 10, what is Task Scheduler typically used for?

Answer 57

Typically, the system and certain apps use the scheduler to automate maintenance tasks (such as disk de-fragmentation, disk cleanup, and updates).