Name:
Class:
Date:
Indicate whether the statement is true or false.
1. FAT32 is used on older Microsoft OSs, such as MSDOS 3.0 through 6.22, Windows 95 (first release), and Windows
NT 3.3 and 4.0.
a.
True
b.
False
2. When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated
disk space.
a.
True
b.
False
3. Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk
drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
a.
True
b.
False
4. Each MFT record starts with a header identifying it as a resident or nonresident attribute.
a.
True
b.
False
5. A computer stores system configuration and date and time information in the BIOS when power to the system is off.
a.
True
b.
False
Indicate the answer choice that best completes the statement or answers the question.
6. Which of the following commands creates an alternate data stream?
a.
echo text > myfile.txt:stream_name
b.
ads create myfile.txt{stream_name} “text”
c.
cat text myfile.txt=stream_name
d.
echo text < myfile.txt?stream_name
7. Which of the following is not a valid configuration of Unicode?
a.
UTF-8
b.
UTF-16
c.
UTF-32
d.
UTF-64
8. A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
a.
0x1CE
b.
0x1BE
c.
0x1AE
d.
0x1DE
9. The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and
Name:
Class:
Date:
System.
a.
registry
b.
storage
c.
hive
d.
tree
10. When using the File Allocation Table (FAT), where is the FAT database typically written to?
a.
The innermost track
b.
The outermost track
c.
The first sector
d.
The first partition
11. The ReFS storage engine uses a __________ sort method for fast access to large data sets.
a.
A+-tree
b.
B+-tree
c.
reverse
d.
numerical
12. Select below the file system that was developed for mobile personal storage devices, such as flash memory devices,
secure digital eXtended capacity (SDCX), and memory sticks:
a.
FAT12
b.
FAT32
c.
exFAT
d.
VFAT
13. Most manufacturers use what technique in order to deal with the fact that a platter’s inner tracks have a smaller
circumference than the outer tracks?
a.
Disk Track Recording (DTR)
b.
Zone Based Areal Density (ZBAD)
c.
Zone Bit Recording (ZBR)
d.
Cylindrical Head Calculation (CHC)
14. What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an
NTFS volume?
a.
$MftMirr
b.
$TransAct
c.
$LogFile
d.
$Backup
15. The ___________ command inserts a HEX E5 (0xE5) in a filename’s first letter position in the associated directory
entry.
a.
delete
b.
edit
c.
update
d.
clear
Name:
Class:
Date:
16. What does the MFT header field at offset 0x00 contain?
a.
The MFT record identifier FILE
b.
The size of the MFT record
c.
The length of the header
d.
The update sequence array
17. What registry file contains installed programs’ settings and associated usernames and passwords?
a.
Default.dat
b.
Security.dat
c.
Software.dat
d.
System.dat
18. What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk
drive?
a.
PGP Full Disk Encryption
b.
Voltage SecureFile
c.
BestCrypt
d.
TrueCrypt
19. What term is used to describe a disk’s logical structure of platters, tracks, and sectors?
a.
cylinder
b.
trigonometry
c.
geometry
d.
mapping
20. A typical disk drive stores how many bytes in a single sector?
a.
8
b.
512
c.
1024
d.
4096
21. What term below describes a column of tracks on two or more disk platters?
a.
sector
b.
cluster
c.
cylinder
d.
header
22. What command below can be used to decrypt EFS files?
a.
cipher
b.
copy
c.
efsrecvr
d.
decrypt
23. What registry file contains user account management and security settings?
Name:
Class:
Date:
a.
Default.dat
b.
Software.dat
c.
SAM.dat
d.
Ntuser.dat
24. Addresses that allow the MFT to link to nonresident files are known as _______________.
a.
virtual cluster numbers
b.
logical cluster numbers
c.
sequential cluster numbers
d.
polarity cluster numbers
25. What hexadecimal code below identifies an NTFS file system in the partition table?
a.
05
b.
07
c.
1B
d.
A5
Enter the appropriate word(s) to complete the statement.
26. _____________ is composed of the unused space in a cluster between the end of an active file’s content and the end of
the cluster.
27. The ______________ is the device that reads and writes data to a drive.
28. The purpose of a ______________ is to provide a mechanism for recovering files encrypted with EFS if there’s a
problem with the user’s original private key.
29. ___________ are made up of one or more platters coated with magnetic material, and data is stored in a particular
way.
30. The _______________ executable is the Windows Boot Manager program, which controls boot flow and allows
booting multiple OSs.
Match each term with the correct definition below:
a.
Boot.ini
b.
bootstrap process
c.
Encryption File System
d.
File Allocation Table (FAT)
e.
tracks
f.
head
g.
NTBootdd.sys
h.
NTDetect.com
i.
NT File System
j.
Resilient File System
31. Concentric circles on a disk platter where data is stored.
32. A new file system developed for Windows Server 2012. It allows increased stability for disk storage and improved
features for data recovery and error checking.
33. A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file encrypted with a
Name:
Class:
Date:
symmetric key, and then a public/private key is used to encrypt the symmetric key.
34. The device that reads and writes data to a disk drive.
35. The file system that Microsoft created to replace FAT. It uses security features, allows smaller cluster sizes, and uses
Unicode, which makes it a more versatile system.
36. A file that specifies the Windows path installation and a variety of other startup options.
37. A device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS.
38. Information contained in ROM that a computer accesses during startup; this information tells the computer how to
access the OS and hard drive.
39. A 16-bit program that identifies hardware components during startup snd sends the information to Ntldr.
40. The original Microsoft file structure database. It’s written to the outermost track of a disk and contains information
about each file stored on the drive. PCs use this to organize files on a disk so that the OS can find the files it needs.
41. Describe both ways in which file or folder information is typically stored in an MFT record.
42. What is a partition gap, and how might it be used to hide data?
43. Compare the methods for deleting NTFS files.
44. Why are alternate data streams of particular interest when examining NTFS disks?
45. What does the $Secure metadata file contain?
46. When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called Encrypting File
System (EFS). Explain how EFS works.
47. With the release of Windows Server 2012, Microsoft created a new file system: Resilient File System (ReFS). State
the features that are incorporated into ReFS‘s design.
48. Explain the difference between logical addresses and physical addresses in Microsoft file structures.
49. Describe the three current versions of FAT.
50. To help prevent loss of information, software vendors, including Microsoft, now provide whole disk encryption. This
feature creates new challenges in examining and recovering data from drivers. What are four features offered by whole
disk encryption tools that forensics examiners should be aware of?
Name:
Class:
Date:
Name:
Class:
Date:
Name:
Class:
Date: