Chapter 5

Question 1

CLI

Answer 1

Command line interface

Question 2

COMPTIA

Answer 2

Computer Technology Industry Association

Question 3

A _____ gives an OS a road map to data on a disk.

Answer 3

file system

Question 4

To understand the boot sequence for phones and tablets, it is best to _____

Answer 4

review the vendor’s documentation.

Question 5

CMOS

Answer 5

Complementary Metal Oxide Semiconductor

Question 6

EFI

Answer 6

Extensible Firmware Interface

Question 7

UEFI

Answer 7

Unified Extensible Firmware Interface

Question 8

A computer stores system config and date/time info in the ____ when power to the system if off.

Answer 8

CMOS

Question 9

The system ____ or ____ contains programs that perform input and output at the hardware level.

Answer 9

BIOS or EFI

Question 10

____ is designed for x86 computers and typically used on disk drives with master boot record (MBR).

Answer 10

BIOS

Question 11

____ is designed for x64 computers and uses GUID Partition Table (GPT).

Answer 11

EFI

Question 12

MBR

Answer 12

Master Boot Record

Question 13

GPT

Answer 13

GUID Partition Table

Question 14

In an effort to reduce the relationship with firmware, Intel developed ____ which defines the interface between a computer’s firmware and the OS.

Answer 14

UEFI

Question 15

The bootstrap process is contained in ______.

Answer 15

ROM

Question 16

You can unhook _____ to force the system to tell you what keys to use to access the CMOS in the bootstrap process.

Answer 16

the keyboard

Question 17

The key you press to access CMOS depends on _____.

Answer 17

the computer’s BIOS

Question 18

What are keys and combos that can access the CMOS with?

Answer 18

1. Delete key
2. Ctrl Alt Insert
3. Ctrl A
4. Ctrl S
5. Ctrl F1
6. Ctrl F2
7. Ctrl F10

Question 19

A safe method to verify the BIOS date and time with accidentally accessing a disk drive on boot up.

Answer 19

Removing all hard drives from the computer and then power on.

Question 20

Refers to a disk’s logical structure of platters, tracks, and sectors.

Answer 20

Geometry

Question 21

The device that reads and writes data to a drive. There are two per platter that read and write the top and bottom sides.

Answer 21

Head

Question 22

Concentric circles on a disk platter where data is located.

Answer 22

tracks

Question 23

A column of tracks on two or more disk platters. Usually each platter has two surfaces: top and bottom. Stacked up.

Answer 23

Cylinder

Question 24

A section on a track usually made up of 512 bytes, wedge shaped.

Answer 24

Sector

Question 25

Typical disk drive storage per sector

Answer 25

512 bytes

Question 26

Advanced format disk drive storage per sector

Answer 26

4096 bytes

Question 27

CHS

Answer 27

cylinder, head, and sector calculation

Question 28

CHS calculation

Answer 28

A way to determine the total number of addressable bytes on a disk, multiply the number of cylinders by the number of heads (actually the tracks) and by the number of sectors (groups of 512 bytes).

Question 29

Tracks start with what number?

Answer 29

0

Question 30

ZBR

Answer 30

Zone bit recording, how most manufacturers deal with a platter’s inner tracks having a smaller circumference and therefore less space to store data than in the outer tracks.

Question 31

The space between each track

Answer 31

Track density

Question 32

Refers to the number of bits in one square inch of a disk platter.

Answer 32

Areal density

Question 33

Used to improve disk performance…

Answer 33

head and cylinder skew

Question 34

A feature all flash memory devices have

Answer 34

wear-leveling

Question 35

Wear leveling purpose:

Answer 35

to make sure all memory cells on a flash drive wear evenly

Question 36

When data is deleted on a hard drive, only the _____ are removed.

Answer 36

reference, which leaves the original/deleted data in unallocated disk space

Question 37

firmware file that contains a list of all the old memory cell addresses in a flash drive

Answer 37

garbage collector

Question 38

When dealing with _______ drives, making a full forensic copy as soon as possible is crucial in case data needs to be recovered from unallocated disk space.

Answer 38

solid-state drives

Question 39

Storage allocation units of one or more sectors

Answer 39

clusters

Question 40

FAT

Answer 40

file allocation table

Question 41

NTFS

Answer 41

NT File System

Question 42

Cluster size range

Answer 42

512 bytes to 32,000 bytes

Question 43

Clusters start at ____ in NTFS

Answer 43

0

Question 44

Clusters start at ____ in FAT

Answer 44

2

Question 45

The first sector of all disks contains 3 things

Answer 45

1. system area
2. boot record
3. a file structure database

Question 46

cluster numbers are referred to as

Answer 46

logical address

Question 47

sector numbers are referred to as

Answer 47

physical addresses

Question 48

a logical drive

Answer 48

partition

Question 49

Windows OSs can have ___ primary partitions followed by an extended partition that can contain one or more logical drives.

Answer 49

3

Question 50

large unused gaps between partitions on a disk drive

Answer 50

voids

Question 51

unused space between partitions

Answer 51

partition gaps

Question 52

Two ways to hide data on a disk

Answer 52

1. create a partition, add data to it, remove references to it.
2. declare a smaller number of bytes than the actual drive size is (and hide data at the end of it).

Question 53

A way to examine a partition’s physical level

Answer 53

1. use a disk editor

Question 54

WinHex is a ….

Answer 54

hexadecimal editor

Question 55

FAT

Answer 55

File allocation table, the file structure MS designed for floppy disks.

Question 56

3 current versions of FAT

Answer 56

1. FAT16
2. FAT32
3. exFAT (used by Xbox)

Question 57

3 older versions of FAT

Answer 57

1. FATX
2. virtual FAT (VFAT)
3. FAT12

Question 58

limitations of MS DOS 6.22 FAT version

Answer 58

1. 8 characters for filenames

2. 3 characters for extensions

Question 59

drive slack

Answer 59

composed of the unused space in a cluster between the end of an active file’s content and the end of the cluster

Question 60

The partition table is in the ______

Answer 60

MBR (master boot record)

Question 61

The partition table is located at sector ____ of the disk drive.

Answer 61

0

Question 62

What kind of editor is WinHex?

Answer 62

a hexadecimal editor

Question 63

Where would you find the first partition starting at in WinHex?

Answer 63

0x1BE

Question 64

Where would you find the second partition starting at in WinHex?

Answer 64

0x1CE

Question 65

Where would find the third partition starting at in WinHex?

Answer 65

0x1DE

Question 66

If the c drive displays .R.NTFS in the file system field if the partition is formatted as a _____ drive.

Answer 66

NTFS

Question 67

The c drive displays MSDOS5.0 or MSWIN4.1 in the file system field if the partition is formatted as a ___ drive.

Answer 67

FAT

Question 68

What file format are these extensions for in WinHex? BM6, BM, or BMF?

Answer 68

bitmap file images

Question 69

What does WinHex show for a BM file signature for bitmap image files?

Answer 69

42 4D

Question 70

PK or OOXML first two characters in hex for MS Office 2007 or later…

Answer 70

a compressed file

Question 71

Depending on the hexadecimal editor, hex values can be grouped in sets of two or four digits. True of False?

Answer 71

True

Question 72

FAT

Answer 72

File allocation table which is the file structure database that MS desgined for floppy disks.

Question 73

Other OSs like Linux and Macintosh can format, read and write to FAT storage devices such as USB devices and SD cards. True or False?

Answer 73

True

Question 74

EOF

Answer 74

end of file

Question 75

With FAT___, users discovered they had a lot of extra free disk space because files wasted less space than FAT16 did.

Answer 75

FAT32

Question 76

Which tool can allow you to view cluster-chaining sequence and see how FAT addresses linking clusters to one another?

Answer 76

ProDiscover

Question 77

What does the OS insert in the filenames first letter position when a file is deleted?

Answer 77

HEX E5

Question 78

How does a FAT file system mark a file as deleted?

Answer 78

The HEX E5 character replaces the first letter of the file name and the FAT chain for the file is set to 0

Question 79

unallocated disk space

Answer 79

also called free disk space

Question 80

The main file system for Windows 8

Answer 80

NTFS, MS’s move towards a journaling file system

Question 81

HPFS

Answer 81

High Performance File System, the file system for OS.2 operating system MS worked on for IBM. MS provided backwards compatibilty for this system until Windows 2000 was released.

Question 82

Why is the journaling feature helpful?

Answer 82

It records a transaction before the system carries it out, which can be helpful in a power failure or other interruption.

Question 83

On an NTFS disk, the first data set is the ____

Answer 83

Partition Boot Sector

Question 84

What comes immediately after the Partition Boot Sector on an NTFS disk

Answer 84

the Master File Table

Question 85

The first file on an NTFS disk

Answer 85

MFT

Question 86

Important advantage of NTFS over FAT

Answer 86

NTFS results in much less file slack space

Question 87

records in the MFT

Answer 87

metadata

Question 88

international data format

Answer 88

Unicode

Question 89

ASCII

Answer 89

American Standard Code for Information Interchange

Question 90

For Western language alphabet characters, UTF-8 is identical to ASCII. True or False?

Answer 90

True

Question 91

In the MFT the first ___ records are reserved for system files.

Answer 91

15

Question 92

In the NTFS MFT, all files and folders are stored in separate records of ___ bytes.

Answer 92

1024

Question 93

A record field is referred to as an _____

Answer 93

Attribute ID

Question 94

File or folder info is typically stored in two ways in an MFT record:

Answer 94

1. resident

2. non-resident

Question 95

Resident MFT files metadata characteristics

Answer 95

1. very small, 512 bytes or less

2. all file metadata and data stored in the MFT record

Question 96

non-resident MFT files characteristics

Answer 96

1. stored outside of the MFT if over 512 bytes

2. MFT records provides cluster addresses where the file is stored on the drive’s partition

Question 97

cluster addresses of larger non-resident files

Answer 97

data runs

Question 98

The first 4 bytes for all MFT records are ____

Answer 98

FILE

Question 99

where first attribute ID starts

Answer 99

typically at offset 0x14 from beginning of the record

Question 100

Attribute ID 0x10

Answer 100

$Standard Information (creation dates, read, alternations, DOS file permissions)

Question 101

Attribute ID 0x20

Answer 101

$Attribute List (attributes that don’t fit in the MFT, or non-resident attributes)

Question 102

Attribute ID 0x30

Answer 102

$File.Name (long and short names)

Question 103

Attribute ID 0x40

Answer 103

$Object.ID (ownership and rights/permissions)

Question 104

Attribute ID 0x50

Answer 104

$Security Descriptors (Access control list for the file)

Question 105

Attribute ID 0x60

Answer 105

$Volume Name, not all files need.

Question 106

Attribute ID 0x70

Answer 106

$Volume.Information (version and state of volume)

Question 107

Attribute ID 0x80

Answer 107

$Data (file data for resident files or data runs for nonresident files)

Question 108

Attribute ID 0x90

Answer 108

$Index.Root (use of folders and indexes)

Question 109

Attribute ID 0xA0

Answer 109

$Index.Allocation (use of folders and indexes also)

Question 110

Attribute ID 0xB0

Answer 110

$Bitmap (A bitmap indicating cluster status, such as which are in use and which are available)

Question 111

Attribute ID 0xC0

Answer 111

$Reparse.Point (field used for volume mount points and Installable File System filter drivers)

Question 112

Attribute ID 0xD0

Answer 112

$EA.Information (For use with OS/2 HPFS

Question 113

Attribute ID 0xE0

Answer 113

For use with OS/2 HPFS

Question 114

Attribute ID 0x100

Answer 114

$Logged.Utility_Stream (field used by Encrypting File System in Windows 2000 and later)

Question 115

LCNs

Answer 115

Logical Cluster Numbers

Question 116

VCN

Answer 116

Virtual Cluster Number

Question 117

Hexadecimal value 400 is displayed as

Answer 117

00 04 00 00 and the number 0x40000 is displayed as 00 00 04 00

Question 118

The first section of an MFT record

Answer 118

the header

Question 119

The header in an MFT record ___

Answer 119

defines the size and starting position of the first attribute

Question 120

MFT Header Field at Offset 0x00

Answer 120

The MFT record identifier FILE; the letter F is at offset 0

Question 121

MFT Header Field at Offset 0x1C to 0x1F

Answer 121

Size of the MFT record; the default is 0x400 (1024) bytes, or two sectors

Question 122

MFT Header Field at Offset 0x14

Answer 122

Length of the header, which indicates where the next attribute starts; typically at 0x38 bytes

Question 123

MFT Header Field at Offset 0x32 and 0x33

Answer 123

The updates sequence array, which stores the last 2 bytes of the first sector of the MFT record. Used only when MFT data exceeds 512 bytes. Used as a checksum for record integrity validation.

Question 124

Most important offset locations for 0x30 FIle Name attribute:

Answer 124

1. offset 0x20 to 0x27 (file’s create data/time stored in WIn 32 format)
2. offset 0x28 to 0x2F (last modified date and time for the file.
3. offset 0x30 to 0x37 (last access date and time)
4. offset 0x38 to 0x3F (record update date and time)

Question 125

Which attribute depends on the Windows version to be listed in the MFT?

Answer 125

0x40 Object_ID

Question 126

ways data can be appended to existing files

Answer 126

alternate data streams

Question 127

The only way you can tell whether a file has an alternate data stream attached is by ______

Answer 127

examining the file’s MFT record entry

Question 128

With FAT16 you can compress ____

Answer 128

only a volume

Question 129

With NTFS you can compress ____

Answer 129

files, folders, and entire volumes

Question 130

LZH algorithmn

Answer 130

Lempel-Ziv-Huffman algorithm, data compression

Question 131

3 types of zip files

Answer 131

PKZip, WinZip, GNUzip

Question 132

3rd party compression format file extension

Answer 132

.rar

Question 133

3rd party compressed files need to be ___

Answer 133

uncompressed with the utility that created it. most forensics tools will struggle with 3rd party compression files

Question 134

EFS

Answer 134

Encryption File System, MS introduced in Windows 2000

Question 135

EFS uses what kind of keys?

Answer 135

public and private keys

Question 136

What is the purpose of the recovery certificate?

Answer 136

Provides a mechanism for recovering files encrypted with EFS if there’s a problem with the user’s original private key.

Question 137

Where is the EFS recovery certificate stored?

Answer 137

In the Windows administrator account

Question 138

What 2 ways can Windows admins recover a key?

Answer 138

1. through Windows

2. thru an MS-DOS command prompt

Question 139

What are the 3 commands available thru the MS-DOS command prompt?

Answer 139

1. cipher
2. copy (works in FAT and NTFS)
3. efsrecvr (used to decrypt EFS files)

Question 140

/switch

Answer 140

Additional cipher command in Vista Business Edition or later that overwrites all deleted files, making them impossible to recover with data recovery or forensics carving tools.

Question 141

2 methods of deleting a file

Answer 141

1. OS renames it and moves it to the recycle bin

2. del in MS-DOS command (removes it from the MFT listing the same way FAT does)

Question 142

control file for the Recycle Bin

Answer 142

Info2 file

Question 143

What does the Info2 file contain?

Answer 143

1. ASCII data
2. unicode data
3. date/time of deletion

Question 144

Windows Server 2012 new file system

Answer 144

Resilient File System

Question 145

ReFS

Answer 145

Resilient File System

Question 146

Purpose of ReFS

Answer 146

to handle very large data storage needs, such as the cloud

Question 147

Features of ReFS

Answer 147

1. max data availability
2. improved data integrity
3. designed for scalability
4. not intended for boot drive, for data storage only

Question 148

Sort method used by ReFS

Answer 148

B+- tree

“allocate-on-write” that copies updates of data files to new locations (similar to shadow paging)

Question 149

PII

Answer 149

personal identity information

Question 150

Any info a company keeps confidential

Answer 150

trade secrets