Chapter 5 Flashcards
1
Q
CLI
A
Command line interface
2
Q
COMPTIA
A
Computer Technology Industry Association
3
Q
A _____ gives an OS a road map to data on a disk.
A
file system
4
Q
To understand the boot sequence for phones and tablets, it is best to _____
A
review the vendor’s documentation.
5
Q
CMOS
A
Complementary Metal Oxide Semiconductor
6
Q
EFI
A
Extensible Firmware Interface
7
Q
UEFI
A
Unified Extensible Firmware Interface
8
Q
A computer stores system config and date/time info in the ____ when power to the system if off.
A
CMOS
9
Q
The system ____ or ____ contains programs that perform input and output at the hardware level.
A
BIOS or EFI
10
Q
____ is designed for x86 computers and typically used on disk drives with master boot record (MBR).
A
BIOS
11
Q
____ is designed for x64 computers and uses GUID Partition Table (GPT).
A
EFI
12
Q
MBR
A
Master Boot Record
13
Q
GPT
A
GUID Partition Table
14
Q
In an effort to reduce the relationship with firmware, Intel developed ____ which defines the interface between a computer’s firmware and the OS.
A
UEFI
15
Q
The bootstrap process is contained in ______.
A
ROM
16
Q
You can unhook _____ to force the system to tell you what keys to use to access the CMOS in the bootstrap process.
A
the keyboard
17
Q
The key you press to access CMOS depends on _____.
A
the computer’s BIOS
18
Q
What are keys and combos that can access the CMOS with?
A
- Delete key
- Ctrl Alt Insert
- Ctrl A
- Ctrl S
- Ctrl F1
- Ctrl F2
- Ctrl F10
19
Q
A safe method to verify the BIOS date and time with accidentally accessing a disk drive on boot up.
A
Removing all hard drives from the computer and then power on.
20
Q
Refers to a disk’s logical structure of platters, tracks, and sectors.
A
Geometry
21
Q
The device that reads and writes data to a drive. There are two per platter that read and write the top and bottom sides.
A
Head
22
Q
Concentric circles on a disk platter where data is located.
A
tracks
23
Q
A column of tracks on two or more disk platters. Usually each platter has two surfaces: top and bottom. Stacked up.
A
Cylinder
24
Q
A section on a track usually made up of 512 bytes, wedge shaped.
A
Sector
25
Typical disk drive storage per sector
512 bytes
26
Advanced format disk drive storage per sector
4096 bytes
27
CHS
cylinder, head, and sector calculation
28
CHS calculation
A way to determine the total number of addressable bytes on a disk, multiply the number of cylinders by the number of heads (actually the tracks) and by the number of sectors (groups of 512 bytes).
29
Tracks start with what number?
0
30
ZBR
Zone bit recording, how most manufacturers deal with a platter's inner tracks having a smaller circumference and therefore less space to store data than in the outer tracks.
31
The space between each track
Track density
32
Refers to the number of bits in one square inch of a disk platter.
Areal density
33
Used to improve disk performance...
head and cylinder skew
34
A feature all flash memory devices have
wear-leveling
35
Wear leveling purpose:
to make sure all memory cells on a flash drive wear evenly
36
When data is deleted on a hard drive, only the _____ are removed.
reference, which leaves the original/deleted data in unallocated disk space
37
firmware file that contains a list of all the old memory cell addresses in a flash drive
garbage collector
38
When dealing with _______ drives, making a full forensic copy as soon as possible is crucial in case data needs to be recovered from unallocated disk space.
solid-state drives
39
Storage allocation units of one or more sectors
clusters
40
FAT
file allocation table
41
NTFS
NT File System
42
Cluster size range
512 bytes to 32,000 bytes
43
Clusters start at ____ in NTFS
0
44
Clusters start at ____ in FAT
2
45
The first sector of all disks contains 3 things
1. system area
2. boot record
3. a file structure database
46
cluster numbers are referred to as
logical address
47
sector numbers are referred to as
physical addresses
48
a logical drive
partition
49
Windows OSs can have ___ primary partitions followed by an extended partition that can contain one or more logical drives.
3
50
large unused gaps between partitions on a disk drive
voids
51
unused space between partitions
partition gaps
52
Two ways to hide data on a disk
1. create a partition, add data to it, remove references to it.
2. declare a smaller number of bytes than the actual drive size is (and hide data at the end of it).
53
A way to examine a partition's physical level
1. use a disk editor
54
WinHex is a ....
hexadecimal editor
55
FAT
File allocation table, the file structure MS designed for floppy disks.
56
3 current versions of FAT
1. FAT16
2. FAT32
3. exFAT (used by Xbox)
57
3 older versions of FAT
1. FATX
2. virtual FAT (VFAT)
3. FAT12
58
limitations of MS DOS 6.22 FAT version
1. 8 characters for filenames
| 2. 3 characters for extensions
59
drive slack
composed of the unused space in a cluster between the end of an active file's content and the end of the cluster
60
The partition table is in the ______
MBR (master boot record)
61
The partition table is located at sector ____ of the disk drive.
0
62
What kind of editor is WinHex?
a hexadecimal editor
63
Where would you find the first partition starting at in WinHex?
0x1BE
64
Where would you find the second partition starting at in WinHex?
0x1CE
65
Where would find the third partition starting at in WinHex?
0x1DE
66
If the c drive displays .R.NTFS in the file system field if the partition is formatted as a _____ drive.
NTFS
67
The c drive displays MSDOS5.0 or MSWIN4.1 in the file system field if the partition is formatted as a ___ drive.
FAT
68
What file format are these extensions for in WinHex? BM6, BM, or BMF?
bitmap file images
69
What does WinHex show for a BM file signature for bitmap image files?
42 4D
70
PK or OOXML first two characters in hex for MS Office 2007 or later...
a compressed file
71
Depending on the hexadecimal editor, hex values can be grouped in sets of two or four digits. True of False?
True
72
FAT
File allocation table which is the file structure database that MS desgined for floppy disks.
73
Other OSs like Linux and Macintosh can format, read and write to FAT storage devices such as USB devices and SD cards. True or False?
True
74
EOF
end of file
75
With FAT___, users discovered they had a lot of extra free disk space because files wasted less space than FAT16 did.
FAT32
76
Which tool can allow you to view cluster-chaining sequence and see how FAT addresses linking clusters to one another?
ProDiscover
77
What does the OS insert in the filenames first letter position when a file is deleted?
HEX E5
78
How does a FAT file system mark a file as deleted?
The HEX E5 character replaces the first letter of the file name and the FAT chain for the file is set to 0
79
unallocated disk space
also called free disk space
80
The main file system for Windows 8
NTFS, MS's move towards a journaling file system
81
HPFS
High Performance File System, the file system for OS.2 operating system MS worked on for IBM. MS provided backwards compatibilty for this system until Windows 2000 was released.
82
Why is the journaling feature helpful?
It records a transaction before the system carries it out, which can be helpful in a power failure or other interruption.
83
On an NTFS disk, the first data set is the ____
Partition Boot Sector
84
What comes immediately after the Partition Boot Sector on an NTFS disk
the Master File Table
85
The first file on an NTFS disk
MFT
86
Important advantage of NTFS over FAT
NTFS results in much less file slack space
87
records in the MFT
metadata
88
international data format
Unicode
89
ASCII
American Standard Code for Information Interchange
90
For Western language alphabet characters, UTF-8 is identical to ASCII. True or False?
True
91
In the MFT the first ___ records are reserved for system files.
15
92
In the NTFS MFT, all files and folders are stored in separate records of ___ bytes.
1024
93
A record field is referred to as an _____
Attribute ID
94
File or folder info is typically stored in two ways in an MFT record:
1. resident
| 2. non-resident
95
Resident MFT files metadata characteristics
1. very small, 512 bytes or less
| 2. all file metadata and data stored in the MFT record
96
non-resident MFT files characteristics
1. stored outside of the MFT if over 512 bytes
| 2. MFT records provides cluster addresses where the file is stored on the drive's partition
97
cluster addresses of larger non-resident files
data runs
98
The first 4 bytes for all MFT records are ____
FILE
99
where first attribute ID starts
typically at offset 0x14 from beginning of the record
100
Attribute ID 0x10
$Standard Information (creation dates, read, alternations, DOS file permissions)
101
Attribute ID 0x20
$Attribute List (attributes that don't fit in the MFT, or non-resident attributes)
102
Attribute ID 0x30
$File.Name (long and short names)
103
Attribute ID 0x40
$Object.ID (ownership and rights/permissions)
104
Attribute ID 0x50
$Security Descriptors (Access control list for the file)
105
Attribute ID 0x60
$Volume Name, not all files need.
106
Attribute ID 0x70
$Volume.Information (version and state of volume)
107
Attribute ID 0x80
$Data (file data for resident files or data runs for nonresident files)
108
Attribute ID 0x90
$Index.Root (use of folders and indexes)
109
Attribute ID 0xA0
$Index.Allocation (use of folders and indexes also)
110
Attribute ID 0xB0
$Bitmap (A bitmap indicating cluster status, such as which are in use and which are available)
111
Attribute ID 0xC0
$Reparse.Point (field used for volume mount points and Installable File System filter drivers)
112
Attribute ID 0xD0
$EA.Information (For use with OS/2 HPFS
113
Attribute ID 0xE0
For use with OS/2 HPFS
114
Attribute ID 0x100
$Logged.Utility_Stream (field used by Encrypting File System in Windows 2000 and later)
115
LCNs
Logical Cluster Numbers
116
VCN
Virtual Cluster Number
117
Hexadecimal value 400 is displayed as
00 04 00 00 and the number 0x40000 is displayed as 00 00 04 00
118
The first section of an MFT record
the header
119
The header in an MFT record ___
defines the size and starting position of the first attribute
120
MFT Header Field at Offset 0x00
The MFT record identifier FILE; the letter F is at offset 0
121
MFT Header Field at Offset 0x1C to 0x1F
Size of the MFT record; the default is 0x400 (1024) bytes, or two sectors
122
MFT Header Field at Offset 0x14
Length of the header, which indicates where the next attribute starts; typically at 0x38 bytes
123
MFT Header Field at Offset 0x32 and 0x33
The updates sequence array, which stores the last 2 bytes of the first sector of the MFT record. Used only when MFT data exceeds 512 bytes. Used as a checksum for record integrity validation.
124
Most important offset locations for 0x30 FIle Name attribute:
1. offset 0x20 to 0x27 (file's create data/time stored in WIn 32 format)
2. offset 0x28 to 0x2F (last modified date and time for the file.
3. offset 0x30 to 0x37 (last access date and time)
4. offset 0x38 to 0x3F (record update date and time)
125
Which attribute depends on the Windows version to be listed in the MFT?
0x40 Object_ID
126
ways data can be appended to existing files
alternate data streams
127
The only way you can tell whether a file has an alternate data stream attached is by ______
examining the file's MFT record entry
128
With FAT16 you can compress ____
only a volume
129
With NTFS you can compress ____
files, folders, and entire volumes
130
LZH algorithmn
Lempel-Ziv-Huffman algorithm, data compression
131
3 types of zip files
PKZip, WinZip, GNUzip
132
3rd party compression format file extension
.rar
133
3rd party compressed files need to be ___
uncompressed with the utility that created it. most forensics tools will struggle with 3rd party compression files
134
EFS
Encryption File System, MS introduced in Windows 2000
135
EFS uses what kind of keys?
public and private keys
136
What is the purpose of the recovery certificate?
Provides a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
137
Where is the EFS recovery certificate stored?
In the Windows administrator account
138
What 2 ways can Windows admins recover a key?
1. through Windows
| 2. thru an MS-DOS command prompt
139
What are the 3 commands available thru the MS-DOS command prompt?
1. cipher
2. copy (works in FAT and NTFS)
3. efsrecvr (used to decrypt EFS files)
140
/switch
Additional cipher command in Vista Business Edition or later that overwrites all deleted files, making them impossible to recover with data recovery or forensics carving tools.
141
2 methods of deleting a file
1. OS renames it and moves it to the recycle bin
| 2. del in MS-DOS command (removes it from the MFT listing the same way FAT does)
142
control file for the Recycle Bin
Info2 file
143
What does the Info2 file contain?
1. ASCII data
2. unicode data
3. date/time of deletion
144
Windows Server 2012 new file system
Resilient File System
145
ReFS
Resilient File System
146
Purpose of ReFS
to handle very large data storage needs, such as the cloud
147
Features of ReFS
1. max data availability
2. improved data integrity
3. designed for scalability
4. not intended for boot drive, for data storage only
148
Sort method used by ReFS
B+- tree
| "allocate-on-write" that copies updates of data files to new locations (similar to shadow paging)
149
PII
personal identity information
150
Any info a company keeps confidential
trade secrets
