Ch. 5

Question 1

Where are deleted items stored on Windows Vista and later versions of Windows?

Answer 1

Drive:$Recycle.Bin

Question 2

Where are deleted items stored on Windows 98 and earlier versions of Windows?

Answer 2

Drive:\RECYCLED

Question 3

Where are deleted items stored on the Windows 2000, XP, and NT versions of Windows?

Answer 3

Drive:\RECYCLER

Question 4

What is the maximum size limit for the Recycle Bin in Windows prior to Windows Vista?

Answer 4

3.99 GB

Question 5

Recover My Files Features:

Answer 5

• Recovers files even if emptied from Recycle Bin data
• Recovers files after accidental format, even after Windows is reinstalled
• Performs disk recovery after a hard disk crash
• Recovers files after a partitioning error
• Recovers data from RAW hard drives
• Recovers documents, photos, videos, music, and email
• Recovers from a hard drive, camera card, USB, Zip, floppy disk, or other media

Question 6

What tool is used for format recovery, unformatting and recovering deleted files emptied from the Recycle Bin, or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown and supports hardware RAID?

Answer 6

EaseUS

Question 7

What tool undeletes and recovers lost files from hard drives, memory cards, and USB flash drives?

Answer 7

DiskDigger

Question 8

What tool recovers files that have been lost, deleted, corrupted, or even deteriorated?

Answer 8

Quick Recovery

Question 9

What tool recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable disks connected via FireWire or USB?

Answer 9

Total Recall

Question 10

What tool scans an entire system for deleted files and folders and recovers them, providing two types of scans: a quick scan and a deep scan?

Answer 10

Advanced Disk Recovery

Question 11

What tool for Mac recovers files from a crashed or virus-corrupted hard drive and can recover all file types from any HFS/HFS+ formatted drive?

Answer 11

Data Rescue 4

Question 12

What anti-forensics technique is used to hide secret data within ordinary data, thereby hiding the existence of such data?

Answer 12

Steganography

Question 13

What is the process of applying a strong magnetic field to a storage device, resulting in a device entirely clean of any previously stored data?

Answer 13

Disk degaussing

Question 14

What process does not erase the data present on a disk but wipes its address tables and unlinks all the files in the file system?

Answer 14

Formatting of a hard drive

Question 15

What process involves erasing data from a disk by deleting its links to memory blocks and overwriting the memory contents?

Answer 15

Disk wiping

Question 16

What password-cracking technique requires more processing power compared to other attacks?

Answer 16

Brute-forcing attack

Question 17

What kind of attack is used when some information about the password is known?

Answer 17

Rule-based

Question 18

What is a precomputed table that contains word lists in the form of dictionary files and brute-force lists and their hash values?

Answer 18

Rainbow

Question 19

Methods to Bypass/Reset BIOS password

Answer 19

• Using a manufacturer’s backdoor password to access the BIOS
• Using password cracking software
• Resetting the CMOS using jumpers or solder beads
• Removing the CMOS battery for at least 10 minutes

Question 20

What is a set of techniques that attackers use in order to avert the forensics investigation process and negatively affect the quantity and quality of evidence?

Answer 20

Anti-forensics

Question 21

In the File Allocation Table (FAT) file system, what does the OS replace the first letter of a deleted file name with a hex byte code of?

Answer 21

E5h

Question 22

What is the master database file that is crucial for the recovery of data and contains various details of deleted files such as their original file name, original file size, date and time of deletion, unique identifying number, and the drive number in which the file was stored?

Answer 22

INFO2

Question 23

What method do attackers use to hide malicious data within hidden areas of a system’s hard drive or within other files?

Answer 23

Hiding data in file system structures

Question 24

What method do attackers use to confuse or deceive forensic investigators by tampering with logs, modifying file headers, and changing timestamps?

Answer 24

Trail obfuscation

Question 25

In what method do attackers modify the file extension of malicious program files so that such files can go undetected on a system and steal sensitive user data?

Answer 25

File extension mismatch

Question 26

What anti-forensics technique uses a program to compress or encrypt executable programs in an effort to hide attack tools from being detected?

Answer 26

Program Packers

Question 27

Anti-forensics Techniques that Minimize Footprint

Answer 27

• Use of fake or stolen identities
• Running OSes from Live CDs/DVDs/USB
• Use of virtual machines
• Use of cloud services

Question 28

Anti-forensics Countermeasures

Answer 28

1. Train and educate the forensic investigators about anti-forensics
2. Validate the results of examination using multiple tools
3. Impose strict laws against illegal use of anti-forensics tools
4. Understand the anti-forensic techniques and their weaknesses
5. Use latest and updated CFTs and test them for vulnerabilities
6. Save data in secure location
7. Use intelligent decompression libraries to defend against compression bombs
8. Replace weak file heuristics with stronger ones

Question 29

What commands can be used to determine Windows logged-on users?

Answer 29

PsLoggedOn
LogonSessions
Net sessions

Question 30

What command is used to determine open files in Windows?

Answer 30

Net file

Question 31

What command is used to determine the NetBIOS name table cache in Windows?

Answer 31

Nbtstat

Question 32

What tool helps collect information about network connections operating in a Windows system?

Answer 32

Netstat

Question 33

What commands are used to determine running processes in Windows?

Answer 33

Tasklist
Listdlls
Pslist

Question 34

What is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples?

Answer 34

Volatility Framework

Question 35

The information about the system users is stored in which file for Windows?

Answer 35

SAM database file

Question 36

The value 0 associated with the registry entry EnablePrefetcher tells the system to use which prefetch?

Answer 36

Prefetching is disabled.

Question 37

What prefetch does value 1 from the registry entry EnablePrefetcher tell the system to use?

Answer 37

Application prefetching is enabled.

Question 38

What prefetch does value 2 from the registry entry EnablePrefetcher tell the system to use?

Answer 38

Boot prefetching is enabled.

Question 39

What prefetch does value 3 from the registry entry EnablePrefetcher tell the system to use?

Answer 39

Both application and boot prefetching are enabled.

Question 40

What tool enables you to retrieve information about event logs and publishers in Windows 10?

Answer 40

Wevtutil

Question 41

Intruders attempting to gain remote access to a system try to find the other systems connected to the network and visible to the compromised system. True/False

Answer 41

True

Question 42

________ command is used to display the network configuration of the NICs on the system.

Answer 42

ipconfig /all

Question 43

What are the unique identification numbers assigned to Windows user accounts for granting user access to particular resources?

Answer 43

Microsoft security ID

Question 44

In Windows Event Log File Internals, what file is used to store the Databases related to the system?

Answer 44

System.evtx

Question 45

Thumbnails of images remain on computers even after files are deleted. True/False

Answer 45

True

Question 46

In Windows, where is the default location of the spool folder located?

Answer 46

C:\Windows\System32\spool\PRINTERS

Question 47

What is the space generated between the end of a stored file and the end of the disk cluster called?

Answer 47

Slack space

Question 48

What Windows Registry hives are considered nonvolatile with respect to data persistence?

Answer 48

HKEY_LOCAL_MACHINE, HKEY_USERS

Question 49

By default, Windows XP and later create hidden administrative shares on a system. True/False

Answer 49

False. By default, Windows Vista, 7, 8.1, and 10 create hidden administrative shares on a system.

Question 50

When a USB device is plugged into a Windows machine, what in Windows receives the event and queries the device descriptor in the firmware for device information?

Answer 50

Plug and Play Manager

Question 51

What would not be found on a most recently used list?

Answer 51

Bookmarks. MRU list will contain recently visited web pages and opened documents.

Question 52

What does analyzing Shellbags not provide forensic investigators with information about?

Answer 52

Folders not opened from an external hard drive after the drive is unmounted.

Question 53

The CustomDestinations jump list is made of files that are created when a user pins a file or an application to a taskbar. True/False

Answer 53

True