Difficult notes for memorization Flashcards
BOOTMGFW
The GUID partition table (GPT) identifies a System Partition. The system partition contains the boot manager and the boot configuration data (BCD). Each Windows installation has a subfolder under \EFI\Microsoft\ that contains a BCD and BOOTMGFW.EFI.
BOOTMGR
During boot, the master boot record (MBR) identifies the boot sector for the partition marked as active. The boot sector loads the boot manager, which for Windows is BOOTMGR.EXE.
NTOSKRNL
The Windows boot manager loads the Windows boot loader WINLOAD.EXE stored in the system root folder on the boot partition. The process then loads the kernel (NTOSKRNL.EXE).
HAL
In a Windows system, the hardware abstraction layer (HAL.DLL) is loaded during the WINLOAD boot process.
POSIX
POSIX (Portable Operating System Interface) is a set of common interface standards designed to facilitate compatibility between different operating systems, including but not limited to Unix-like systems and Windows. Ensuring POSIX compliance allows a Windows system, using NTFS, to interact more seamlessly with a Linux system.
Indexing
Indexing compliance is a useful feature for managing and accessing data on a system, but it does not directly facilitate compatibility between different operating systems like POSIX compliance does.
Journaling
Journaling compliance is an important feature for data integrity and reliability, it is not related to compatibility between operating systems.
Snapshots
Like indexing and journaling, snapshot compliance helps in managing and protecting data, but does not contribute to the interoperability of different operating systems.
devmgmt.msc
The Device Manager (devmgmt.msc) console allows administrators to view, edit, and troubleshoot the properties of installed hardware, update drivers, and remove or disable devices.
diskmgmt.msc
The Disk Management (diskmgmt.msc) console displays a summary of any fixed and removable disks.
dfrgui.exe
The Defragment and Optimize Drives tool (dfrgui.exe) runs various operations to speed up the performance of hard disk drives (HDDs) and solid-state drives (SSDs).
lusrmgr.msc
The Local Users and Groups (lusrmgr.msc) console provides administrators with an advanced interface for creating, modifying, disabling, and deleting user accounts. This console is also useful for resetting the password for an account.
Duress
A duress alarm is triggered manually and could be implemented as a wireless pendant, concealed sensor or trigger, or call contact.
Circuit
A circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm. This could be caused by a door opening or by a fence being cut.
Motion
A motion-based alarm is linked to a detector triggered by movement within a room or other area. The sensors in these detectors are either microwave radio reflection or passive infrared (PIR)
Proximity
Proximity alarms use radio frequency ID (RFID) tags and readers that can be used to track the movement of tagged objects within an area.
RAT
A remote access Trojan (RAT) is malware that, once installed, allows the threat actor to access the PC, upload/exfiltrate data files, and install additional malware tools.
Implicit Deny
Implicit deny means that unless there is a rule specifying that access should be granted, any request for access is denied.
Explicit Deny
Explicit deny means that a specific rule is created that denies any access to a system or service.
Windows subsystem for Linux (WSL)
Windows subsystem for Linux (WSL) allows the installation of a Linux distribution and the use of Linux applications.
autorun.inf
In a legacy versions of Windows, an inserted disk (USB or optical) would automatically run commands defined in an autorun.inf file stored in the root of the drive.
Execution control
Execution control refers to logical security technologies designed to prevent malicious software from running on a host regardless of what the user account privileges allow.
Port Forwarding
Port forwarding means that the router takes a request from a host for a particular service and sends the request to another designated host.
Port Triggering
Port triggering is used with applications that require more than one port. When a firewall detects activity on outbound port A, it opens inbound access for the external IP address on port B for a set period.
Resistance
A resistor creates resistance. Resistance is the degree of opposition to the current caused by characteristics of the conductor and is measured in ohms.
Current
Electricity flows in a circuit. Current is the amount of charge flowing through a conductor, measured in amps (A or I).
Voltage
A circuit is made when conductors form a continuous path between the positive and negative terminals of a power source. Voltage is the potential difference between two points.
Watts
A watt is a measure of electrical power. Components such as power supplies and add-on cards are usually rated by how many watts are required or provided.
Port 3389
The Remote Desktop Protocol on a Windows workstation or server runs on TCP port 3389 by default but can be changed to another port.
Port 22
Secure Shell (SSH) is a remote access protocol, but it connects to a command interpreter rather than a desktop window manager. SSH uses TCP port 22 (by default)
Port 5900
Virtual Network Computing (VNC) is a freeware product with similar functionality to the Remote Desktop Protocol (RDP). It works over TCP port 5900.
Port 443
Remote connection tools include TeamViewer and LogMeIn. Like Windows Quick Assist, these products are designed to work over HTTPS (TCP/443) across the internet.
Simultaneous Authentication of Equals mechanism
Simultaneous Authentication of Equals (SAE) in WPA3 replaces the 4-way handshake in WPA2. The 4-way handshake mechanism is vulnerable to manipulations that allow a threat actor to recover the key.
AES Galois Counter Mode Protocol mode
WPA3 replaces Advanced Encryption Standard Counter Mode with Cipher Block Chaining Message Authentication Code Protocol with the stronger AES Galois Counter Mode Protocol (GCMP) mode of operation.
Rivest Cipher 4 (RC4)
WPA2 uses the Advanced Encryption Standard (AES) cipher deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP.
4-way handshake association
WPA2 uses a 4-way handshake to allow a station to associate with an access point, authenticate its credential, and exchange a key to use for data encryption.
Batch Script
A shell script written for the basic Windows CMD interpreter is often described as a batch script. A batch script would be the simplest way to create the script.
Powershell
Windows PowerShell (PS) combines a script language with hundreds of prebuilt modules called cmdlets that can access and change most components and features of Windows and Active Directory.
VBscript
VBScript is a scripting language based on Microsoft’s Visual Basic programming language. VBScript predates PowerShell.
Python
Python is a general-purpose scripting and programming language that can be used to develop both automation scripts and software apps. A Python project can either be run via an interpreter or compiled as a binary executable.
RADIUS
Remote Authentication Dial-in User Service (RADIUS) is one way of implementing the AAA server when configuring enterprise authentication. The firewall is configured as a client of the RADIUS server.
TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a way of implementing AAA and is often used in authenticating administrative access to routers and switches.
Kerberos
On Windows networks, Kerberos is a protocol that allows a user account to authenticate to a domain controller (DC) over a trusted local cabled segment.
How many bits long is an IPv6 address in total, and how many bits identify the host portion?
In IPv6, the address is 128 bits long and the network prefixes are used to identify logical networks within the first 64 bits. IPv6 uses hexadecimal values for notation.
How many bits long is an IPv4 address in total?
In IPv4, the 32-bit address is combined with a 32-bit subnet mask, both of which are typically entered in dotted decimal notation.
Time Drift
Processes such as authentication and backup depend on the time reported by the local PC being closely synchronized to the time kept by a server.
Incident Documentation
Documenting the scene of an incident is important; using photographs and ideally video and audio. Investigators must record every action they take.
Non-Writeable Optical Disk
Historically, most attended installations were run by booting from optical media (CD-ROM or DVD). As updates for the operating system and drivers become available, optical media will become quickly dated because ongoing updates cannot be added to the installation disc.
Latent Evidence
Digital evidence is mostly latent. Latent means that the evidence cannot be seen with the naked eye; rather, it must be interpreted using a machine or process.
Internet-based (Booting)
A computer that supports network boot could also be configured to boot to set up over the internet. In this scenario, the local network’s DHCP server must be configured to supply the DNS name of the installation server.
API
An application programming interface (API) is a method used by developers to integrate custom-developed software with other software applications.
Recovery Partition
A factory recovery partition is a tool used by the original equipment manufacturers (OEMs) to restore the OS environment to its ship state. The recovery partition is created on the internal fixed drive.
Windows Refresh
Windows supports refresh and reset options to try to repair the installation. Using refresh recopies the system files and reverts most system settings to the default but can preserve user personalization settings, data files, and apps installed via Windows Store.
Clean Install
A clean install of the operating system is an installation option where no previous operating system will be repaired.
/?
When used with a particular command, lists the syntax and switches used for the command.
- (asterisk)
The * (asterisk) is a wildcard character that you can use to indicate a string of characters
w/
when used with dir command, can be used to list files using a wide format with no details
Inbound filtering
Inbound filtering determines whether remote hosts can connect to given TCP/UDP ports on internal hosts that are behind a firewall or router.
Screened subnet
In an enterprise network, a screened subnet is a means of establishing a more secure configuration. The idea of a screened subnet is that some hosts are placed in a separate network segment.
% disk time
The % disk time metric is the percentage of elapsed time that the selected disk drive is busy servicing read or write requests.
Average disk queue length
The average disk queue length is the number of requests outstanding on the disk at the time the performance data is collected.
Available bytes
The available bytes metric is a memory metric. It represents the amount of memory available, which should not be below 10% of the total system memory.
Pages/sec
The pages/sec value is a memory metric. This represents the number of pages read from or written to disk to resolve hard page faults.
Radio Frequency
With proximity sensors, radio frequency ID (RFID) tags and readers can be used to track the movement of tagged objects within an area.
Passive Infrared
A security mechanism might use passive infrared (PIR) technology. This technology uses temperature and can detect moving heat sources.
Microwave radio
The sensors in microwave radio security devices use detectors. These detectors may use reflection, such as those used in radar for example.
Concealed sensor
A duress alarm is manually triggered and could be implemented as a wireless pendant or concealed sensor or button. The alarm is triggered like a panic button.
Concurrent Logins
Concurrent logins set a limit to the number of simultaneous sessions a user can open. Most users should only need to sign in to one computer at a time.
Use timeout
Use timeout/screen lock will lock the desktop if the system detects no user-input device activity. This is a sensible, additional layer of protection.
Perform a soft reset
A soft reset is usually effective in restoring unresponsive or frozen systems and is one of the first things to try when faced with a malfunctioning app or slow performance.
stdin
In a Linux distribution with no graphical user interface, a terminal interface is used. The default shell command interpreter uses the stream stdin (0) for the user’s keyboard input.
stderr
A terminal shell is often used in Linux and working at a terminal is referred to as using a shell interactively. Any errors in a terminal stream are identified by stderr (2).
std
In Linux, communication within a shell is identified by streams and std refers to a standard stream that is further categorized as stdin, stdout, and stderr.
stdout
A Linux terminal is connected by a teletype (tty) device that handles text output. The stdout (1) stream reads data from a shell from the tty device and displays it through the terminal.
Transparent Proxy
A proxy server can improve both performance and security. A transparent proxy does not require any client configuration as the server handles the appropriate settings.
Intercepting Proxy
Some networks use a proxy to provide network connectivity. An intercepting proxy does not require that each client is individually configured.
Manual Proxy
With a manual proxy, each client must be configured with the IP address and TCP port to use to forward traffic via the proxy.
Autoconfiguring Proxy
Proxy server settings can be done via Network and internet settings on a Windows client. This includes a fully manual option to input proxy settings or to automatically detect proxy settings. Whichever setting is used, it would still have to be configured on the client itself.
Idle Debugger
IDLE is the Python Integrated Development and Learning Environment. While IDLE does have a debugger, it is for Python scripts, not Windows issues.
