Chapter 5: Working with Windows and CLI Systems

Voltage SecureFile

________ is designed for an enterprise computing environment.

Endpoint Encryption

________ can be used on PCs, laptops, and removable media to secure an entire disk volume.

EFI

________ is designed for x64 computers and uses GUID Partition Table (GPT)- formatted disks.

USB drives

________ and other solid- state drive systems are different, in that memory cells shift data at the physical level to other cells that have had fewer reads and write continuously.

support program

The physical address ________ for accessing more than 4 GB of physical RAM.

NTFS

Clusters are numbered sequentially, starting at 0 in ________ and 2 in FAT.

DOS

If a system has multiple boot OSs, including older ones such as Windows 9x or ________, Ntldr reads BootSect.dos (a hidden file), which contains the address of each OS.

multiple devices

All Windows 8 and 10 boot processes are designed to run on ________, ranging from desktop or laptop systems to tablets and smartphones.

hardware components

The virtual machine recognizes ________ of the host computer its loaded on.

Intel

In an effort to reduce the relationship with firmware, ________ developed UEFI, which defines the interface between a computers firmware and the OS.

large data storage

ReFS is designed to address very ________ needs, such as the cloud.

solid state devices

When dealing with ________, making a full forensic copy as soon as possible is crucial in case you need to recover data from unallocated disk space.

BIOS

________ is designed for x86 computers and is typically used on disk drives with Master Boot Records (MBRs)

track of transactions

The system keeps ________ such as file deleting or saving.

LCN

When data is first written to nonresident files, a(n) ________ address is assigned to the file in the attribute 0x80 field of the MFT.

FAT12

Encrypted files arent part of the ________, FAT16, or FAT32 file systems, so cipher command works only on NTFS systems running Windows 2000 Professional or later.

MS DOS

It was originally designed for ________ 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB.

Memory cells

________ are designed to perform only 10, 000 to 100, 000 reads /writes, depending on the manufacturers design.

Boot.ini

________ specifies the Windows XP path installation and contains options for selecting the Windows version.

EFS

When ________ is used in Windows 2000 and later, a recovery certificate is generated and sent to the local Windows administrator account.

Tracks

________: Concentric circles on a disk platter where data is located.

Subkey

________: A key displayed under another key, similar to a subfolder in Windows or File Explorer.

Logical Cluster Numbers

________ (LCNs): Are sequentially numbered from the beginning of the disk partition, starting with the value 0.

unique identity

Windows changes the filename and moves the file to a subdirectory with a(n) ________ in the Recycle Bin.

boot selection

When the ________ is made, Ntldr runs NTDetect.com, a 16- bit real- mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.

digital forensics

In ________, virtual machines make it possible to restore a suspect drive on a virtual machine and run nonstandard software the suspect might have loaded, for example.

Recovery Key Agent

To recover an encrypted EFS file, a user can e- mail it or copy the file to the administrator, who can then run the ________ function to restore the file.

File System

________: Gives an OS a road map to data on a disk.

ASCII data

It contains ________, Unicode data, and the date and time of deletion for each file or folder.

hard drive

When data is deleted on a(n) ________, only the references to it are removed, which leaves the original data in unallocated disk space.

Disk Space

Unallocated ________: The area of the disk where the deleted file resides.

Windows Vista

In ________ and later, the boot process uses a boot configuration data (BCD) store.

cluster locations

A run- list is maintained in the MFT of all ________ on the disk for nonresident files.

disk partitions

It supports ________ with a maximum storage capacity of 4 GB.

Windows stores

________ information about the original path and filename in the Info2 file, which is the control file for the Recycle Bin.

guest OS

The ________ is limited by the host computers OS, which might block certain operations.

File System

Gives an OS a road map to data on a disk

Geometry

Refers to a disks logical structure of platters, tracks, and sectors

Head

The device that reads and writes data to a drive

Tracks

Concentric circles on a disk platter where data is located

Cylinder

A column of tracks on two or more disk platters

Sector

A section on a track, usually made up of 512 bytes

Zone Bit Recording (ZBR)

It is how most manufacturers deal with a platters inner tracks having a smaller circumference (and, therefore, less space to store data) than its outer tracks

Track density

The space between each track

Areal density

The number of bits in one square inch of a disk platter

Head and cylinder skew

Used to improve disk performance

Clusters

Storage allocation units of one or more sectors

Logical Addresses

Cluster numbers

Partition

  A logical drive

File Allocation Table (FAT)

The file structure database that Microsoft designed for floppy disks

Drive Slack

Composed of the unused space in a cluster between the end of an active files content and the end of the cluster

File Slack

The remaining sectors in the last assigned cluster

Unallocated Disk Space

The area of the disk where the deleted file resides

Partition Boot Sector

The first data set on an NTFS disk

Master File Table

The first file on an NTFS disk

Metadata

Records in the MFT

Resident Files

All information stored in the MFT record

Logical Cluster Numbers (LCNs)

Are sequentially numbered from the beginning of the disk partition, starting with the value 0

Encrypting File System (EFS)

added by Microsoft as optional built-in encryption to NTFS when they introduced Windows 2000

cipher and copy

These two commands are available from a command prompt

Resilient File System (ReFS)

With the release of Windows Server 2012, Microsoft created a new file system called __________.

Registry

A database that stores hardware and software configuration information, network connections, user preferences, and setup information

Registry

A hierarchical database containing system and user information

Registry Editor

A Windows utility for viewing and modifying data in the Registry

Regedit and Regedt32

Two Registry Editors

Key

Folders in each HKEY

Subkey

A key displayed under another key, similar to a subfolder in Windows or File Explorer

Value

A name and value in a key; its similar to a file and its data content

Default value

All keys have a ______ that may or may not contain data

Hives

These are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE

Bootmgr.exe

The Windows Boot Manager program controls boot flow and allows booting multiple OSs, such as booting Vista along with XP

Winload.exe

The Windows Vista OS loader installs the kernel and the Hardware Abstraction Layer (HAL) and loads memory with the necessary boot drivers

Winresume.exe

This tool restarts Vista after the OS goes into hibernation mode

NTBootdd.sys

The device driver that allows the OS to communicate with SCSI or ATA drives that arent related to the BIOS

Ntoskrnl.exe

The Windows XP OS kernel, located in the systemroot/Windows/ System32 folder

Hal.dll

The Hardware Abstraction Layer (HAL) dynamic link library, located in the systemroot/Windows/System32 folder

Configuration File

Contains hardware settings, such as RAM, network configurations, port settings, and so on

Virtual Hard Disk File

Contains the boot loader program, OS files, and users data files

Jetico BestCrypt Volume Encryption

_______ provides WDE for older MS-DOS and current Windows systems.

GUID Partition Table (GPT)

EFI is designed for x64 computers and uses ______ –formatted disks.

garbage collector

When data is rotated to another memory cell, the old memory cell addresses are listed in a firmware file called a “______.”

Physical Addresses

Sector numbers.

Partition Gap

The unused space between partitions.

Nonresident Files

All information stored outside MFT record.

virtual cluster number (VCN)

When data is first written to nonresident files, an LCN address is assigned to the file in the attribute 0x80 field of the MFT. This LCN becomes the file’s ______.

Device drivers

_____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\\Windows\\System32\\ Drivers folder.

CMOS

A computer stores system configuration and date and time information in the _____ when power to the system is off.

Bootstrap Process

Tells the computer how to proceed.

FAT12

This version is used specifically for floppy disks, so it has a limited amount of storage space.

FAT16

Developed by Microsoft to handle larger disks, it is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 and Windows NT 3.5 and 4.0.

\
It supports disk partitions with a maximum storage capacity of 4 GB.

FAT32

When disk technology improved and disks larger than 2 GB were developed, Microsoft released FAT32, which can access larger drives.

exFAT

Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks.

VFAT

Developed to handle files with more than eight-character filenames and three-character extensions; introduced with Windows 95.

Drive Slack

Composed of the unused space in a cluster between the end of an active file’s content and the end of the cluster.

RAM Slack

The portion of the last sector used in the last assigned cluster.

File Slack

The remaining sectors in the last assigned cluster.

High Performance File System (HPFS)

The NTFS design was partially based on, and incorporated many features from, Microsoft’s project for IBM with the OS/2 operating system; in this OS, the file system was ______.

Unicode

An international data format.

\
It uses an 8-bit (UTF-8), 16-bit (UTF-16) or a 32-bit (UTF-32) configuration.

ASCII

For Western-language alphabetic characters, UTF-8 is identical to _____.

$Mft

Base file record for each folder on the NTFS volume; other record positions in the MFT are allocated if more space is needed.