Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 17: Digital Evidence on Windows Systems

Full screen (f)
exit full mode
Question
When examining the Windows registry key, the "Last Write Time" indicates:

A) The last time RegEdit was run
B) When a value in that Registry key was altered or added
C) The current system time
D) The number of allowable changes has been exceeded
Use Space or
up arrow
down arrow
to flip the card.
Question
Forensically acceptable alternatives to using a Windows Evidence Acquisition Boot Disk include all but which of the following?

A) Linux boot floppy
B) FIRE bootable CD-ROM
C) Booting into safe mode
D) Hardware write blockers
Question
You find the following deleted file on a floppy disk. How many clusters does this file occupy?  Name  Ext  ID  Size Date  Time  Cluster  76 A R S H D V  _REENF 1 DOC  Erased 19968508032:34pm275A\begin{array}{ll}\text { Name } & \text { Ext } &\text { ID } &\text { Size } &\text {Date } &\text { Time }&\text { Cluster }&\text { 76 A R S H D V }\\\text { \_REENF } \sim 1 & \text { DOC }&\text { Erased }&19968&5-08-03&2:34pm&275&A----\end{array}

A) 200
B) 78
C) 39
D) 21
Question
Media can be accessed for examination either ________or____________ . (Choose two)

A) Logically
B) Sequentially
C) Randomly
D) Physically
Question
Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data.
Question
File system traces include all of the following EXCEPT:

A) Metadata
B) CMOS settings
C) Swap file contents
D) Data object date-time stamps
Question
The Windows NT Event log Appevent.evt:

A) Contains a log of application usage
B) Records activities that have security implications, such as logins
C) Notes system events such as shutdowns
D) None of the above
Question
When a file is moved within a volume, the Last Accessed Date Time:

A) Is unchanged
B) Changes if a file is moved to different directory
C) Changes if a file is moved to the root
D) Is unchanged; however, the Created Date-Time does change
Question
Before evidentiary media is "acquired," forensic examiners often______________ the media to make sure it contains data relevant to the investigation.

A) Hash
B) Preview
C) Validate
D) Analyze
Question
With the correct CMOS setting, it is possible to mount a hard drive as Read-Only in the Windows environment.
Question
Which of the following issues is NOT one that a forensic examiner faces when dealing with Windows-based media?

A) Invasive characteristics of the Windows environment
B) The facility in the standard Windows environment for mounting a hard drive as Read-Only
C) The location, organization, and content of Windows system log files
D) Available methods for recovering data from Windows media
Question
EnCase provides the means to create a Windows Evidence Acquisition Boot Disk to allow for network acquisition of an evidence drive.
Question
When examining the "news.rc," you find the following entry:
 alt.binaries.hacking.utilities! 18905,8912,8921,8924,8926,8929,8930,8932\text { alt.binaries.hacking.utilities! } 1 - 8905,8912,8921,8924,8926,8929,8930,8932
What does the "!" mean?

A) The user is subscribed to this group.
B) The user was once subscribed, but is currently unsubscribed, to this group.
C) The group is up to date.
D) The last message retrieval was aborted.
Question
Usenet readers store all the URLs that have been accessed, but do not record which Usenet newsgroups have been accessed and joined.
Question
The Windows NT Event log Secevent.evt:

A) Contains a log of application usage
B) Records activities that have security implications, such as logins
C) Notes system events such as shutdowns
D) None of the above
Question
The standard Windows environment supports all of the following file systems EXCEPT____________ .

A) FAT16
B) ext2
C) FAT32
D) NTFS
Question
6 . Which of the following software tools is NOT used for data recovery?

A) WinHex (X-Ways) Forensic
B) EnCase
C) FTK
D) Safeback
Question
The Windows environment is invasive and poses a challenge to forensic examiners.
Question
Internet traces may be found in which of the following categories?

A) Web browser cache
B) Instant messenger cache
C) Cookies
D) All of the above
Question
Log files are used by the forensic examiner to_________ .

A) Associate system events with specific user accounts
B) Verify the integrity of the file system
C) Confirm login passwords
D) Determine if a specific individual is the guilty party
Question
The MD5 hashing algorithm is no longer considered to be a reliable method for determining whether two blocks of text are identical.
Question
Just like Windows NT, Windows 98 has event logs that record system activities.
Question
NTFS time represents time as the number of 100-nanosecond intervals since January 1, 1601 00:00:00 UTC.
Question
In FAT32 file systems both the directory and FAT entries are updated when a file is deleted.
Question
EnCase can recover deleted files but does not have the capability of recovering deleted directories.
Question
"File carving" is an examination technique where the beginning and end of a file are located, and the block of data spanning the two locations is copied to a new file, with the appropriate extension.
Question
Windows evidentiary media must be acquired and examined with Windows-based examination software.
Question
In the Windows environment, simply opening a file to read, without writing it back to disk, can change the date-time stamp.
Question
In NTFS, when a file is deleted from a directory, the last modified and accessed date-time stamps of the parent directory listing are updated.
Question
A forensic examiner would use logical access to examine media if the file and directory structures were to be analyzed.
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/30
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 17: Digital Evidence on Windows Systems
1
When examining the Windows registry key, the "Last Write Time" indicates:

A) The last time RegEdit was run
B) When a value in that Registry key was altered or added
C) The current system time
D) The number of allowable changes has been exceeded
B
2
Forensically acceptable alternatives to using a Windows Evidence Acquisition Boot Disk include all but which of the following?

A) Linux boot floppy
B) FIRE bootable CD-ROM
C) Booting into safe mode
D) Hardware write blockers
C
3
You find the following deleted file on a floppy disk. How many clusters does this file occupy?  Name  Ext  ID  Size Date  Time  Cluster  76 A R S H D V  _REENF 1 DOC  Erased 19968508032:34pm275A\begin{array}{ll}\text { Name } & \text { Ext } &\text { ID } &\text { Size } &\text {Date } &\text { Time }&\text { Cluster }&\text { 76 A R S H D V }\\\text { \_REENF } \sim 1 & \text { DOC }&\text { Erased }&19968&5-08-03&2:34pm&275&A----\end{array}

A) 200
B) 78
C) 39
D) 21
39
4
Media can be accessed for examination either ________or____________ . (Choose two)

A) Logically
B) Sequentially
C) Randomly
D) Physically
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
5
Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
6
File system traces include all of the following EXCEPT:

A) Metadata
B) CMOS settings
C) Swap file contents
D) Data object date-time stamps
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
7
The Windows NT Event log Appevent.evt:

A) Contains a log of application usage
B) Records activities that have security implications, such as logins
C) Notes system events such as shutdowns
D) None of the above
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
8
When a file is moved within a volume, the Last Accessed Date Time:

A) Is unchanged
B) Changes if a file is moved to different directory
C) Changes if a file is moved to the root
D) Is unchanged; however, the Created Date-Time does change
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
9
Before evidentiary media is "acquired," forensic examiners often______________ the media to make sure it contains data relevant to the investigation.

A) Hash
B) Preview
C) Validate
D) Analyze
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
10
With the correct CMOS setting, it is possible to mount a hard drive as Read-Only in the Windows environment.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
11
Which of the following issues is NOT one that a forensic examiner faces when dealing with Windows-based media?

A) Invasive characteristics of the Windows environment
B) The facility in the standard Windows environment for mounting a hard drive as Read-Only
C) The location, organization, and content of Windows system log files
D) Available methods for recovering data from Windows media
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
12
EnCase provides the means to create a Windows Evidence Acquisition Boot Disk to allow for network acquisition of an evidence drive.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
13
When examining the "news.rc," you find the following entry:
 alt.binaries.hacking.utilities! 18905,8912,8921,8924,8926,8929,8930,8932\text { alt.binaries.hacking.utilities! } 1 - 8905,8912,8921,8924,8926,8929,8930,8932
What does the "!" mean?

A) The user is subscribed to this group.
B) The user was once subscribed, but is currently unsubscribed, to this group.
C) The group is up to date.
D) The last message retrieval was aborted.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
14
Usenet readers store all the URLs that have been accessed, but do not record which Usenet newsgroups have been accessed and joined.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
15
The Windows NT Event log Secevent.evt:

A) Contains a log of application usage
B) Records activities that have security implications, such as logins
C) Notes system events such as shutdowns
D) None of the above
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
16
The standard Windows environment supports all of the following file systems EXCEPT____________ .

A) FAT16
B) ext2
C) FAT32
D) NTFS
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
17
6 . Which of the following software tools is NOT used for data recovery?

A) WinHex (X-Ways) Forensic
B) EnCase
C) FTK
D) Safeback
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
18
The Windows environment is invasive and poses a challenge to forensic examiners.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
19
Internet traces may be found in which of the following categories?

A) Web browser cache
B) Instant messenger cache
C) Cookies
D) All of the above
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
20
Log files are used by the forensic examiner to_________ .

A) Associate system events with specific user accounts
B) Verify the integrity of the file system
C) Confirm login passwords
D) Determine if a specific individual is the guilty party
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
21
The MD5 hashing algorithm is no longer considered to be a reliable method for determining whether two blocks of text are identical.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
22
Just like Windows NT, Windows 98 has event logs that record system activities.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
23
NTFS time represents time as the number of 100-nanosecond intervals since January 1, 1601 00:00:00 UTC.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
24
In FAT32 file systems both the directory and FAT entries are updated when a file is deleted.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
25
EnCase can recover deleted files but does not have the capability of recovering deleted directories.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
26
"File carving" is an examination technique where the beginning and end of a file are located, and the block of data spanning the two locations is copied to a new file, with the appropriate extension.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
27
Windows evidentiary media must be acquired and examined with Windows-based examination software.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
28
In the Windows environment, simply opening a file to read, without writing it back to disk, can change the date-time stamp.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
29
In NTFS, when a file is deleted from a directory, the last modified and accessed date-time stamps of the parent directory listing are updated.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
30
A forensic examiner would use logical access to examine media if the file and directory structures were to be analyzed.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree