5 - Windows File Systems and Logging Flashcards
When was the FAT file system initially used?
The File Allocation Table (FAT) was initially used on PC operating systems such as MS-DOS and early versions of Windows.
Name 3 advantages of the FAT file system.
- It is simple
- It is robust
- It offers good performance, especially in embedded applications
The FAT system is made up of four sectors.
Describe what the Boot Sector contains.
Boot Sector - Contains startup code.
The FAT system is made up of four sectors.
Describe what the File Allocation Table contains.
File Allocation Table - This contains the data map. There are also multiple entries for redundancy.
The FAT system is made up of four sectors.
Describe what the Root Directory contains.
Root Directory - Stores information about the files and directories which are located in the root directory.
The FAT system is made up of four sectors.
Describe what the File Data Region contains.
File Data Region - The actual stored data.
Name the 3 versions of FAT file systems.
- FAT12
- FAT16
- FAT32
What is the FAT file system named for?
The FAT file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume.
How many copies of the File Allocation Table are kept?
To protect the volume, two copies of the table are kept, in case one becomes damaged.
The file allocation tables and the root folder must be stored in a fixed location.
[True/False]
TRUE.
Note: the file allocation tables and the root folder must be stored in a fixed location so that the files needed to start the system can be correctly located.
What is NTFS an acronym for?
New Technology File System
What is the maximum file size for FAT32?
4 GB
What is the maximum file size for NTFS?
256 TB
Name 4 improvements of the NTFS files system over its predecessors.
- Sparse file support
- Disk usage quotas
- Hard links
- File-level encryption
What is the function of the Master File Table (MFT)?
The master file table (MFT) keeps track of all files, directories, and meta file data within the NTFS file system.
The MFT is an index of all files on an NTFS volume.
[True / False]
True
Note: the MFT is an index of all files on an NTFS volume, containing information about the file name, its attributes, and the location of its sub-folders.
What CLI command provides information on the Windows file system being used?
fsutil fsinfo volumeinfo C:
What is the theoretical maximum hard drive size NTFS can support?
16 EB
Note: one Exabyte (EB) is equal to 1,000 Petabytes or one billion gigabytes (GB).
State 5 advantages of using NTFS
- Very large files
- Different file permissions and encryption
- Automatically restores consistency by using log file and checkpoint information
- File compression when running out of disk space
- Establishing disk quotas, limiting space users can use
An MFT will have a minimum one record for every file and directory on the NTFS logical volume.
[TRUE / FALSE]
TRUE
NTFS reserves the first 16 records of the table for __?
special information
What does the first record of the MFT describe?
The first record of this table describes the master file table itself, followed by a MFT mirror record.
If the first MFT record is corrupted, what does NTFS read?
NTFS reads the second record to find the MFT mirror file, whose first record is identical to the first record of the MFT.
Where are the data segments for both the MFT and MFT mirror file recorded?
The boot section
What are “Logs”?
Logs are records of events that happen in your computer, either by a person or by a running process.
What can Logs help with?
Logs can help track what has happened and troubleshoot problems.
What interface displays the Windows event logs?
the Windows Event Viewer
What provides a standard, centralized way for applications (and the operating system) to record important software and hardware events?
Event logging
What keeps track of all files, directories, and meta file data?
the MFT
When was Windows Event Logging introduced?
Windows event logging was introduced in Windows NT operating system (version 3.1) in 1993.
Name the 3 Windows logs that came in the first version of Windows event logging
- Application event log
- System event log
- Security event log
Modern versions of Windows come with more than a hundred types of Windows event logs.
[True / False]
True
What does the Application log contain?
The Application log contains events logged by applications or programs.
Example - a database program might record a file error in the application log.
What are Application logs commonly useful for?
Application logs are commonly useful for application support teams.
What does the Security log contain?
The Security log contains events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects.
Can Administrators specify what events are recorded in the Security Log?
YES
For example, if an Admin has enabled logon auditing, attempts to log on to the system are recorded in the security log.
What are Security logs essential for?
Security logs are essential for system and security administrators and forensic examiners.
What do the System logs contain?
The System log contains events logged by Windows system components.
Example - the failure of a driver or other system component to load during startup is recorded in the system log.
Who / what determines the event types logged by System logs?
The event types logged by system components are predetermined by Windows.
Who depends greatly upon System Logs?
System logs are essential for system administrators and technicians.
What can be determined using Log files?
By using log files, you are able to determine the causes of a certain error or security breaches.
This is because the log files record data concurrently with the activities of the information system.
From a security point of view, what is the purpose of Logs?
From a security point of view, the purpose of a log is to act as a red flag when something bad is happening.
Name the 5 breakdowns of log types.
Hint: Log types can be further broken down into….
- Errors
- Warnings
- Information
- Success audit
- Failure audits
What are the 4 main views of Event Viewer?
- Custom Views
- Windows Logs
- Application
- Services logs Subscriptions
What does the “event level” of a Log denote?
All logs are assigned an event level. This event level denotes the severity or seriousness of any issues noted in the logs.
What are the 5 Event Level categories?
- Critical
- Error
- Warning
- Information
- Verbose
What are 2 Event Level types associates only with the Security category?
- Audit Success
- Audit Failure
What are the 5 most common Log categories?
- Application
- Security
- Setup
- System
- Forward Events
What does the “Forward Events” category of Logs do?
Forward Events - Logs from a remote server, forwarded to this server
What does the “System” category of Logs do?
System - Logs linked to up-time, service status changes, and other messages generated by the operating system
What does the “Setup” category of Logs do?
Setup - Logs associated with Windows install and updates
What CLI command allows an Admin to look through Logs?
C:\Windows\System32\winevt\Logs
Name the 5 main things to look for in Logs with Log Managers.
- Password changes
- Unauthorized logins
- Login failures
- New login events
- Malware detection
What is the Task Scheduler used for?
The Task Scheduler is a tool that allows predefined actions to be automatically executed whenever a certain set of conditions is met.
When referring to Task Scheduler, what is a “Task”?
Task alludes to activity (or activities) taken because of trigger(s).
Which log category is associated with Windows install and updates?
Setup
On Windows 10, what is Task Scheduler typically used for?
Typically, the system and certain apps use the scheduler to automate maintenance tasks (such as disk de-fragmentation, disk cleanup, and updates).
