Information Technology /Cyber-Security: Working with Windows
Cyber-Security: Working with Windows
This deck covers key concepts related to Windows operating systems, including file systems, encryption, virtual machines, and device drivers.
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS?
NTBootdd.sys
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/46
Key Terms
Term
Definition
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS?
NTBootdd.sys
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user’s original private key?
Recovery Certificate
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?
Ntkmlpa.exe
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?
NTDetect.com
The first 5 bytes (characters) for all MFT records are FILE.
False
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS? | NTBootdd.sys |
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user’s original private key? | Recovery Certificate |
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM? | Ntkmlpa.exe |
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. | True |
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr? | NTDetect.com |
The first 5 bytes (characters) for all MFT records are FILE. | False |
The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. What are these cluster addresses called? | Data runs |
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks? | FAT |
In the NTFS MFT, all files and folders are stored in separate records of how many bytes each? | 1024 |
Typically, a virtual machine consists of just one file. | False |
As data is added, the MFT can expand to take up 75% of the NTFS disk. | False |
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors. | True |
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced? | EFS |
One way to examine a partition’s physical level is to use a disk editor, such as WinHex, or Hex Workshop. | True |
What term refers to the number of bits in one square inch of a disk platter? | Areal density |
What is on an NTFS disk immediately after the Partition Boot Sector? | MFT |
What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer’s hardware environment? | A virtual machine |
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10? | NTFS |
The type of file system an OS uses determines how data is stored on the disk. | True |
It’s possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows. | True |
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated? | The registry |
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack. | True |
From a network forensics standpoint, there are no potential issues related to using virtual machines. | False |
What specifies the Windows XP path installation and contains options for selecting the Windows version? | Boot.ini |
What term refers to a column of tracks on two or more disk platters? | Cylinder |
In NTFS, files smaller than 512 bytes are stored in the MFT. | True |
Which of the following Windows 8 files contains user-specific information? | Ntuser.dat |
EFS can encrypt which of the following? | Files, folders, and volumes |
MFT stands for Master File Table | True |
File and directory names are some of the items stored in the FAT database | True |
An image of a suspect drive can be loaded on a virtual machine | True |
List two features NTFS has that FAT does not | Unicode characters and better security |
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? | The file is unencrypted automatically |
A virtual cluster number represents the assigned clusters of files that are non resident in the MFT | True |
Areal density refers to which of the following? | Number of bits per square inch of a disk platter |
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible | False |
How many sectors are typically in a cluster on a disk drive? | 4 or more |
In FAT32, a 123-KB file uses how many sectors? | 246 |
CHS stands for cylinders, heads, and sectors | True |
Device drivers contain instructions for the OS on how interface with hardware devices | True |
What does the Ntuser.dat file contain? | MRU files list |
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? | None of the above |
Clusters in Windows always being numbering at what number? | 2 |
What is the space on a drive called when a file is deleted? | Unallocated space |
Virtual machines have which of the following limitations when running on a host computer? | Virtual machines are limited to host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices |
BIOS boot firmware was developed to provide better protection against malware than EFI does developed? | False |