Cengage Chapter 5 - Working with Windows and CLI Systems

Question 1

Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, _______________________ become an additional file attribute.

Answer 1

alternate data streams

Question 2

An 8-bit coding scheme that assigns numeric values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.

Answer 2

American Standard Code for Information Interchange (ASCII)

Question 3

The number of bits per square inch of a disk platter.

Answer 3

areal density

Question 4

In NTFS, an MFT record field containing metadata about the file or folder and the file’s data or links to the file’s data.

Answer 4

attribute ID

Question 5

A file that specifies the Windows path installation and a variety of other startup options.

Answer 5

Boot.ini

Question 6

If a machine has multiple booting OSs, NTLDR reads this hidden file to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr).

Answer 6

BootSect.dos

Question 7

Information stored in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.

Answer 7

bootstrap process

Question 8

Storage allocation units composed of groups of sectors. __________ are 512, 1024, 2048, or 4096 bytes each.

Answer 8

clusters

Question 9

A column of tracks on two or more disk platters.

Answer 9

cylinder

Question 10

Cluster addresses where files are stored on a drive’s partition outside the MFT record. __________ are used for nonresident MFT file records. A ___________ record field consists of three components; the first component defines the size in bytes needed to store the second and third components’ content.

Answer 10

data runs

Question 11

Files containing instructions for the OS for hardware devices, such as the keyboard, mouse, and video card.

Answer 11

device drivers

Question 12

Unused space in a cluster between the end of an active file and the end of the cluster. It can contain deleted files, deleted e-mail, or file fragments. Drive slack is made up of both file slack and RAM slack. See also file slack and RAM slack.

Answer 12

drive slack

Question 13

A public/ private key encryption first used in Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.

Answer 13

Encrypting File System (EFS)

Question 14

The original Microsoft file structure database. It’s written to the outermost track of a disk and contains information about each file stored on the drive. PCs use the FAT to organize files on a disk so that the OS can find the files it needs. The variations are FAT12, FAT16, FAT32, VFAT, and FATX.

Answer 14

File Allocation Table (FAT)

Question 15

The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.

Answer 15

file slack

Question 16

The way files are stored on a disk; gives an OS a road map to data on a disk.

Answer 16

file system

Question 17

A disk drive’s internal organization of platters, tracks, and sectors.

Answer 17

geometry

Question 18

The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware.

Answer 18

Hal.dll

Question 19

The device that reads and writes data to a disk drive.

Answer 19

head

Question 20

A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.

Answer 20

head and cylinder skew

Question 21

The file system IBM uses for its OS/2 operating system.

Answer 21

High Performance File System (HPFS)

Question 22

In Windows NT through Vista, the control file for the Recycle Bin. It contains ASCII data, Unicode data, and date and time of deletion.

Answer 22

Info2 file

Question 23

A bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk.

Answer 23

ISO image

Question 24

When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. ______________ point to relative cluster positions, using these assigned cluster numbers.

Answer 24

logical addresses

Question 25

The numbers sequentially assigned to each cluster when an NTFS disk partition is created and formatted. The first cluster on an NTFS partition starts at count 0. _____ become the addresses that allow the MFT to read and write data to the disk’s nonresident attribute area. See also data runs and virtual cluster number (VCN).

Answer 25

logical cluster numbers (LCNs)

Question 26

On Windows and DOS computers, this boot disk file contains information about partitions on a disk and their locations, size, and other important items.

Answer 26

Master Boot Record (MBR)

Question 27

NTFS uses this database to store and link to files. It contains information about access rights, date and time stamps, system attributes, and other information about files.

Answer 27

Master File Table (MFT)

Question 28

In NTFS, this term refers to information stored in the MFT. See also Master File Table (MFT).

Answer 28

metadata

Question 29

A device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS.

Answer 29

NTBootdd.sys

Question 30

A 16-bit program that identifies hardware components during startup and sends the information to Ntldr.

Answer 30

NTDetect.com

Question 31

A program in the root folder of the system partition that loads the OS. See also BootSect.dos.

Answer 31

NT File System (NTFS)

Question 32

A program in the root folder of the system partition that loads the OS. See also BootSect.dos.

Answer 32

NT Loader (Ntldr)

Question 33

The kernel for the Windows NT family of OSs.

Answer 33

Ntoskrnl.exe

Question 34

A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires.

Answer 34

one-time passphrase

Question 35

At startup, data and instruction code are moved in and out of this file to optimize the amount of physical RAM available during startup.

Answer 35

Pagefile.sys

Question 36

A logical drive on a disk. It can be the entire disk or part of the disk.

Answer 36

partition

Question 37

The first data set of an NTFS disk. It starts at sector [0] of the disk drive and can expand up to 16 sectors.

Answer 37

Partition Boot Sector

Question 38

Unused space or void between the primary partition and the first logical partition.

Answer 38

partition gap

Question 39

Any information that can be used to create bank or credit card accounts, such as name, home address, Social Security number, and driver’s license number.

Answer 39

personal identity information (PII)

Question 40

The actual sectors in which files are located. Sectors reside at the hardware and firmware level.

Answer 40

physical addresses

Question 41

In encryption, the key used to decrypt the file. The file owner keeps the private key.

Answer 41

private key

Question 42

In encryption, the key used to encrypt a file; it’s held by a certificate authority, such as a global registry, network server, or company such as VeriSign.

Answer 42

public key

Question 43

The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the information was saved or not. RAM slack is found mainly in older Microsoft OSs.

Answer 43

RAM slack

Question 44

A method NTFS uses so that a network administrator can recover encrypted files if the file’s user/creator loses the private key encryption code.

Answer 44

recovery certificate

Question 45

A Windows database containing information about hardware and software configurations, network connections, user preferences, setup information, and other critical information.

Answer 45

Registry

Question 46

A file system developed for Windows Server 2012. It allows increased scalability for disk storage and has improved features for data recovery and error checking.

Answer 46

Resilient File System (ReFS)

Question 47

A section on a track, typically made up of 512 bytes.

Answer 47

sector

Question 48

The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.

Answer 48

track density

Question 49

Concentric circles on a disk platter where data is stored.

Answer 49

tracks

Question 50

Partition disk space that isn’t allocated to a file. This space might contain data from files that have been deleted previously.

Answer 50

unallocated disk space

Question 51

A character code representation that’s replacing ASCII. It’s capable of representing more than 64,000 characters and non-European-based languages.

Answer 51

Unicode

Question 52

One of three formats Unicode uses to translate languages for digital representation.

Answer 52

UTF-8 (Unicode Transformation Format)

Question 53

When a large file is saved in NTFS, it’s assigned a logical cluster number specifying a location on the partition. Large files are referred to as nonresident files. If the disk is highly fragmented, _____ are assigned and list the additional space needed to store the file. The LCN is a physical location on the NTFS partition; _____ are the offset from the previous LCN data run. See also data runs and logical cluster numbers (LCNs).

Answer 53

virtual cluster number (VCN)

Question 54

A file representing a system’s hard drive that can be booted in a virtualization application and allows running a suspect’s computer in a virtual environment.

Answer 54

virtual hard disk (VHD)

Question 55

Emulated computer environments that simulate hardware and can be used for running OSs separate from the physical (host) computer. For example, a computer running Windows Vista could have a virtual Windows 98 OS, allowing the user to switch between OSs.

Answer 55

virtual machines

Question 56

An internal firmware feature used in solid-state drives that ensures even wear of read/writes for all memory cells.

Answer 56

wear-leveling

Question 57

The method most manufacturers use to deal with a platter’s inner tracks being shorter than the outer tracks. Grouping tracks by zones ensures that all tracks hold the same amount of data.

Answer 57

zone bit recording (ZBR)