Computer forensics – quiz 5 – Flashcards
Unlock all answers in this set
Unlock answersquestion
A computer stores system configuration and date and time information in the BIOS when power to the system is off t/f
answer
false
question
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space t/f
answer
true
question
Someone who wants to hide data can create hidden partitions or void-large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities t/f
answer
false
question
FAT32 is used on older Microsoft OSs, such as ms-dos 3.0 through 6.22, windows 95 (first release), and windows NT 3.3 and 4.0 t/f
answer
false
question
Each MFT record starts with a header identifying it as a resident or nonresident attribute t/f
answer
false
question
A typical disk drive stores how many bytes in a single sector? a. 8 b. 512 c. 1024 d. 4096
answer
b
question
Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. disk track recording (DTR) b. zone based areal density (ZBAD) c. zone bit recording (ZBR) d. cylindrical head calculation (CHC)
answer
c
question
What hexadecimal code below identifies an NTFS file system in the partition table? a. 05 b. 07 c. 1B d. A5
answer
b
question
When using the file allocation table (FAT), where is the FAT database typically written to? a. the innermost track b. the outermost track c. the first sector d. the first partition
answer
b
question
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital extended capacity (SDCX), and memory sticks: a. FAT12 b. FAT32 c. exFAT d. VFAT
answer
c
question
What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b. trigonometry c. geometry d. mapping
answer
c
question
a master boot record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE
answer
b
question
The ??? command insets a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry a. delete b. edit c. update d. clear
answer
a
question
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MgyMirr b. $TransAct c. $LogFile d. $Backup
answer
c
question
What command below can be used to decrypt EFS files? a. cipher b. copy c. efsrecvr d. decrypt
answer
c
question
Which of the following commands creates an alternate data stream? a. echo text ; myfile. txt:syream_name b. ads create myfile.txt(stream_name) "text" c. cat text myfile.txt=stream_name d. echo text
answer
a
question
What term below describes a column of tracks on two or more disk platters? a. sector b. cluster c. cylinder d. header
answer
c
question
Which of the following is not a valid configuration of Unicode? a. UTF-8 b. UTF-16 c. UTF-32 d. UTF-64
answer
d
question
What does the MTF header field at offset 0x00 contain? a. the MFT record identifier FILE b. the size of the MFT record c. the length of the header d. the update sequence array
answer
a
question
The ReFs storage engine uses a ??? sort method for fast access to large data sets. a. A+-tree b. B+-tree c. reverse d. numerical
answer
b
question
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive? a. PP full disk encryption b. voltage SecureFile c. BestCrypt d. TrueCrypt
answer
d
question
the ??? branches in HKEY_LOCAL_MACHINE/software consist of SAM, security, components, and system a. registry b. storage c. hive d. tree
answer
c
question
What registry file contains user account management and security settings? a. default.dat b. software.dat c. SAM.dat d Ntuser.dat
answer
c
question
What registry file contains installed programs' settings and associated usernames and passwords? a. default.dat b. software.dat c. sam.dat d. ntuser.dat
answer
c
question
Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers
answer
b
question
Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers
answer
b
question
Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers
answer
b