Working with Windows and CLI systems

Question 1

Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren;t related to the BIOS?

Answer 1

NTBootdd.sys

Question 2

Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user’s original private key?

Answer 2

Recovery Certificate

Question 3

Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?

Answer 3

Ntkmlpa.exe

Question 4

Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.

Answer 4

True

Question 5

Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?

Answer 5

NTDetect.com

Question 6

The first 5 bytes (characters) for all MFT records are FILE.

Answer 6

False

Question 7

The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. What are these cluster addresses called?

Answer 7

Data runs

Question 8

Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?

Answer 8

FAT

Question 9

In the NTFS MFT, all files and folders are stored in separate records of how many bytes each?

Answer 9

1024

Question 10

Typically, a virtual machine consists of just one file.

Answer 10

False

Question 11

As data is added, the MFT can expand to take up 75% of the NTFS disk.

Answer 11

False

Question 12

In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.

Answer 12

True

Question 13

What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?

Answer 13

EFS

Question 14

One way to examine a partition’s physical level is to use a disk editor, such as WinHex, or Hex Workshop.

Answer 14

True

Question 15

What term refers to the number of bits in one square inch of a disk platter?

Answer 15

Areal density

Question 16

What is on an NTFS disk immediately after the Partition Boot Sector?

Answer 16

MFT

Question 17

What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer’s hardware environment?

Answer 17

A virtual machine

Question 18

Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?

Answer 18

NTFS

Question 19

The type of file system an OS uses determines how data is stored on the disk.

Answer 19

True

Question 20

It’s possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.

Answer 20

True

Question 21

When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?

Answer 21

The registry

Question 22

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.

Answer 22

True

Question 23

From a network forensics standpoint, there are no potential issues related to using virtual machines.

Answer 23

False

Question 24

What specifies the Windows XP path installation and contains options for selecting the Windows version?

Answer 24

Boot.ini

Question 25

What term refers to a column of tracks on two or more disk platters?

Answer 25

Cylinder

Question 26

In NTFS, files smaller than 512 bytes are stored in the MFT.

Answer 26

True

Question 27

Which of the following Windows 8 files contains user-specific information?

Answer 27

Ntuser.dat

Question 28

EFS can encrypt which of the following?

Answer 28

Files, folders, and volumes

Question 29

MFT stands for Master File Table

Answer 29

True

Question 30

File and directory names are some of the items stored in the FAT database

Answer 30

True

Question 31

An image of a suspect drive can be loaded on a virtual machine

Answer 31

True

Question 32

List two features NTFS has that FAT does not

Answer 32

Unicode characters and better security

Question 33

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

Answer 33

The file is unencrypted automatically

Question 34

A virtual cluster number represents the assigned clusters of files that are non resident in the MFT

Answer 34

True

Question 35

Areal density refers to which of the following?

Answer 35

Number of bits per square inch of a disk platter

Question 36

Zone bit recording is how disk manufacturers ensure that a platter’s outer tracks store as much data as possible

Answer 36

False

Question 37

How many sectors are typically in a cluster on a disk drive?

Answer 37

4 or more

Question 38

In FAT32, a 123-KB file uses how many sectors?

Answer 38

246

Question 39

CHS stands for cylinders, heads, and sectors

Answer 39

True

Question 40

Device drivers contain instructions for the OS on how interface with hardware devices

Answer 40

True

Question 41

What does the Ntuser.dat file contain?

Answer 41

MRU files list

Question 42

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

Answer 42

None of the above

Question 43

Clusters in Windows always being numbering at what number?

Answer 43

2

Question 44

What is the space on a drive called when a file is deleted?

Answer 44

Unallocated space

Question 45

Virtual machines have which of the following limitations when running on a host computer?

Answer 45

Virtual machines are limited to host computer’s peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices

Question 46

BIOS boot firmware was developed to provide better protection against malware than EFI does developed?

Answer 46

False