In the ntfs mft, all files and folders are stored in separate records of how many bytes each?

NTFS uses the uses the American Standard Code for Information Interchange (ASCII) data format.

Basic Input/Output System (BIOS) contains the computer system’s configuration, date, and time.

Each HKEY contains folders referred to as a _____

​A typical disk drive stores how many bytes in a single sector?

The unused space created when a file is saved.

Partition disk space that is not allocated to a file.

A key and its contents, including subkeys, make up a _____ in the Registry.

The first 5 bytes (characters) for all MFT records are MFTR0.

Computer forensics tools are divided into ____ major categories

All JPEG files have JFIF embedded at the end of the file. 

File header information are located during the ____ process

Validation and discrimination

Both the resource fork and the data fork contain essential information, such as filename, file size, and date modified, for each file.

The General Public License (GPL) agreement stipulates that source code for hardware distributed under the GPL must be publicly available, and any works derived from GPL code must also be licensed under the GPL.

Both the resource fork and the data fork contain essential information, such as filename, file size, and date modified, for each file.

All information about a volume is stored in the Master Directory Block (MDB) and written to the MDB when the volume is initialized.

An assigned inode has _____ pointers that link to data blocks and other pointers where files are stored.​

Directory file structures in Mac have made major changes with each new OS update.

For older HFS-formatted drives, the last two logical blocks, 0 and 1, on the volume (or disk) are the boot blocks containing system startup instructions. 

The data fork contains additional information from the applications, such as menus, dialog boxes, icons, executable code, and controls.

Adding the _____________ flag to the ​ls -l command has the effect of of showing all files beginning with the "." character in addition to other files.

Steg tools can be used to detect variations of an image.

Metadata of a digital picture includes information about the camera, such as model, make, and serial number, and camera settings, such as shutter speed, focal length, resolution, date, and time.

The first 3 bytes of an XIF file are exactly the same as a TIF file.​

Lossless compression produces an exact replica of the original data after it has been uncompressed, but lossy compression typically produces an altered replica of the data.

Imperceptible watermarks are usually an image, such as the copyright symbol or a company logo, layered on top of a photo.

The majority of digital cameras use the ____ format to store digital pictures.

You use image viewers to create, modify, and save bitmap, vector, and metafile graphics.

You create a metafile graphic when you add text or arrows (vector drawings) to a bitmap image.

In computer forensics, virtual machines make it possible to restore a suspect drive on a virtual machine and run nonstandard software that the suspect might have loaded. 

To recover an encrypted Encrypting File System (EFS) file, a user can e-mail it or copy the file to the administrator, who will run the Recovery Key Agent function to restore the file.

Microsoft’s utility for protecting drive data

Gives an OS a road map to data on a disk

Unused space in a cluster between the end of an active file and the end of the cluster

Concentric circles on a disk platter where data is located

The area of the disk where the deleted file resides becomes allocated disk space

In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes each

A ____ contains programs that perform input and output at the hardware level.

Basic Input/Output System (BIOS)

The type of file system an OS uses determines how data is stored on the disk.

Many vendors use a bootable CD or USB drive that prompts for a one-time _____ generated by the key management function.

You can use Registry Viewer to find the location of the Registry files.

Microsoft’s move toward a journaling file system

the space between each track

ways data can be appended to existing files

the unused space between partitions

The unused space between the end of the file and the end of the last sector used by the active file in the cluster.

Unused space in a cluster between the end of an active file and the end of the cluster.

The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. These cluster addresses are referred to as ____.

A _____ is a Windows utility for viewing and modifying data in the Registry. 

Records in the MFT are referred to as ____.

It is very easy to analyze, recover, and decrypt data from encrypted files or system

Reporting is the last function in a forensics disk analysis and examination. 

The process of checking the accuracy of results is known as discrimination.

One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

What program serves as the GUI front end for accessing Sleuth Kit's tools?​

The process of creating a duplicate image of data.

The process of checking the accuracy of results.

​When performing disk acquisition, the raw data format is typically created with the UNIX/Linux _____________ command.

The accuracy of the forensics results are checked during the _____ process.

When maintaining a computer forensics lab, it is important to create a software library containing older versions of forensics utilities, OS, and other programs.

What option below is an example of a platform specific encryption tool?

Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.

What is the goal of the NSRL project, created by NIST?​

​Collect known hash values for commercial software and OS files using SHA hashes.

The data discrimination function can be improved by searching and comparing file headers instead of focusing on the extension of the file’s name. 

All of the following are subfunctions in the validation and discrimination category, EXCEPT____.

____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.

The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, ​dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface.​

When you turn on the power to a UNIX workstation, instruction code located in firmware on the system’s CPU loads into RAM. This firmware is called ___________ code because it’s located in ROM.

Ext2fs can support disks as large as ____ TB and files as large as 2 GB.

Third Extended File System (Ext3fs) is the standard Linux file system, which can support disks as large as 4 TB and files as large as 2 GB. 

A node that stores information about the B*-tree file.

A B*-tree node that stores link information to the previous and next nodes.

The bottom-level nodes of the B*-tree that contain actual file data in the Mac file system.

A B*-tree node that stores a node descriptor and map record.

____ is a collection of data that cannot exceed 512 bytes.

What is the minimum size of a block in UNIX/Linux filesystems?​

It is very easy to remove the drive from a Macintosh Mini’s CPU case; therefore it is very easy to make a forensic image from a Mac computer. 

The _____________ is the listing of all files and directories on a volume and is used to maintain relationships between files and directories on a volume.​

In older Mac OSs, a file consists of two parts: a resource fork, where data is stored, and a data fork, where file metadata and application information are stored. Term

With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.

What file under the /etc folder contains the hashed passwords for a local system?​

Each graphics file type has a unique header value.​

____ steganography replaces bits of the host file with other bits of data.

What kind of graphics file combines bitmap and vector graphics types?​

Some steg tools compare the hash value of a known good or bad file to the suspect file to determine whether steganography was used.

You can locate and recover graphics files based on information store in the _________.

All of the following are considered copyrightable works, EXCEPT __________

_ is the process of converting raw picture data to another format, such as JPEG or TIFF.

All of the following are true about the copyright laws, EXCEPT

Copyright laws as they pertain to the Internet are very clear. 

Steganography cannot be used with file formats other than graphics files, such as MPEG and AVI files.

All _______ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A.

Most digital cameras produce digital photos in raw or EXIF format.

How many sectors are typically in a cluster on a disk drive?

When Microsoft introduced Windows 2000 added built in encryption to NTFS?

What is the file structure database that Microsoft originally designed for floppy disks?

What does the MFT header field at offset 0x00 contain?