Guide to Computer Forensics and Investigations 5e Bill Nelson Amelia Phillips Christopher Steuart - Test Bank Instant Download - Complete Test Bank With Answers Sample Questions Are Posted Below True / False 1. A computer stores system configuration and date and time information in the BIOS when power to the system …
$19.99
Guide to Computer Forensics and Investigations 5e Bill Nelson Amelia Phillips Christopher Steuart – Test Bank
Instant Download – Complete Test Bank With Answers
Sample Questions Are Posted Below
| True / False |
1. A computer stores system configuration and date and time information in the BIOS when power to the system is off.
|
2. When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
|
3. Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
|
4. FAT32 is used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.
|
5. Each MFT record starts with a header identifying it as a resident or nonresident attribute.
|
| Multiple Choice |
6. A typical disk drive stores how many bytes in a single sector?
|
7. Most manufacturers use what technique in order to deal with the fact that a platter’s inner tracks have a smaller circumference than the outer tracks?
|
8. What hexadecimal code below identifies an NTFS file system in the partition table?
|
9. When using the File Allocation Table (FAT), where is the FAT database typically written to?
|
10. Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:
|
11. What term is used to describe a disk’s logical structure of platters, tracks, and sectors?
|
12. A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
|
13. The ___________ command inserts a HEX E5 (0xE5) in a filename’s first letter position in the associated directory entry.
|
14. What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
|
15. What command below can be used to decrypt EFS files?
|
16. Which of the following commands creates an alternate data stream?
|
17. What term below describes a column of tracks on two or more disk platters?
|
18. Which of the following is not a valid configuration of Unicode?
|
19. What does the MFT header field at offset 0x00 contain?
|
20. The ReFS storage engine uses a __________ sort method for fast access to large data sets.
|
21. What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?
|
22. The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.
|
23. What registry file contains user account management and security settings?
|
24. What registry file contains installed programs’ settings and associated usernames and passwords?
|
25. Addresses that allow the MFT to link to nonresident files are known as _______________.
|
| Completion |
26. ___________ are made up of one or more platters coated with magnetic material, and data is stored in a particular way.
|
27. The ______________ is the device that reads and writes data to a drive.
|
28. _____________ is composed of the unused space in a cluster between the end of an active file’s content and the end of the cluster.
|
29. The purpose of a ______________ is to provide a mechanism for recovering files encrypted with EFS if there’s a problem with the user’s original private key.
|
30. The _______________ executable is the Windows Boot Manager program, which controls boot flow and allows booting multiple OSs.
|
| Matching |
Match each term with the correct definition below:
|
31. Concentric circles on a disk platter where data is stored.
|
32. A new file system developed for Windows Server 2012. It allows increased stability for disk storage and improved features for data recovery and error checking.
|
33. A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.
|
34. The device that reads and writes data to a disk drive.
|
35. The file system that Microsoft created to replace FAT. It uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system.
|
36. A file that specifies the Windows path installation and a variety of other startup options.
|
37. A device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS.
|
38. Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
|
39. A 16-bit program that identifies hardware components during startup snd sends the information to Ntldr.
|
40. The original Microsoft file structure database. It’s written to the outermost track of a disk and contains information about each file stored on the drive. PCs use this to organize files on a disk so that the OS can find the files it needs.
|
| Subjective Short Answer |
41. Explain the difference between logical addresses and physical addresses in Microsoft file structures.
|
42. Describe both ways in which file or folder information is typically stored in an MFT record.
|
43. Why are alternate data streams of particular interest when examining NTFS disks?
|
44. When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called Encrypting File System (EFS). Explain how EFS works.
|
45. Compare the methods for deleting NTFS files.
|
46. With the release of Windows Server 2012, Microsoft created a new file system: Resilient File System (ReFS). State the features that are incorporated into ReFS’s design.
|
47. To help prevent loss of information, software vendors, including Microsoft, now provide whole disk encryption. This feature creates new challenges in examining and recovering data from drivers. What are four features offered by whole disk encryption tools that forensics examiners should be aware of?
|
48. Describe the three current versions of FAT.
|
49. What is a partition gap, and how might it be used to hide data?
|
50. What does the $Secure metadata file contain?
|
Original price was: $30.00.$20.00Current price is: $20.00.
Original price was: $30.00.$20.00Current price is: $20.00.
Original price was: $30.00.$20.00Current price is: $20.00.
Original price was: $30.00.$20.00Current price is: $20.00.
Original price was: $30.00.$20.00Current price is: $20.00.
Original price was: $30.00.$20.00Current price is: $20.00.
