In DOS and Windows 9.x, Io.sys is the first file loaded after the ROM bootstrap loader
finds the disk. True or False?
True
On a Windows system, sectors typically contain how many bytes?
a. 256,
b. 512,
c. 1024,
d. 2048
b. 512
What does CHS stand for?
cylinders, heads, sectors
Zoned bit recording is how disk manufacturers ensure that a platter' s outer tracks store
as much data as possible. True or False?
False
Areal density refers to which of the following?
a. Number of bits per disk,
b. Number of bits per partition,
c. Number of bits per square inch of a disk platter,
d. Number of bits per platter
c. Number of bits per square inch of a disk platter
Clusters in Windows always begin numbering at what number?
2
What is the ratio of sectors per cluster in a floppy disk?
a. 1:1,
b. 2:1,
c. 4:1,
d. 8:1
a. 1:1
List three items stored in the FAT database.
file and directory names, starting cluster numbers, file attributes, and date and time stamps
Windows 2000 can be configured to access which of these file formats? (Choose all that
apply.)
a. FAT12,
b. FAT16,
c. FAT32,
d. NTFS
a. FAT12,
b. FAT16,
c. FAT32,
d. NTFS
In FAT32, a 123 KB file uses how many sectors?
The answer is 246 sectors. 123 x 1024 bytes per KB = 125,952 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors
What is the space on a drive called when a file is deleted? (Choose all that apply.)
a. Disk space,
b. Unallocated space,
c. Drive space,
d. Free space
b. Unallocated space,
d. Free space
List two features NTFS has that FAT does not.
Unicode characters, security, journaling
What does MFT stand for?
Master File Table
In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?
True
RAM slack can contain passwords. True or False?
True
A virtual cluster consists of what kind of clusters?
chained clusters
The Windows Registry in Windows 9x consists of what two files?
System.dat and User.dat
HPFS is used on which OS?
OS/2
Device drivers contain what kind of information?
instructions for the OS on how to interface with hardware devices
Which of the following Windows XP files contains user-specific information?
a. User.dat,
b. Ntuser.dat,
c. System.dat,
d. Sam.dat
b. Ntuser.dat
Virtual machines have which of the following limitations when running on a host computer?
a. Internet connectivity is restricted to virtual Web sites.
b. Applications can be run on the virtual machine only if they' re resident on the physical machine.
c.
c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
An image of a suspect drive can be loaded on a virtual machine. True or False?
True
EFS can encrypt which of the following?
a. Files, folders, and volumes,
b. Certificates and private keys,
c. The global Registry,
d. Network servers
a. Files, folders, and volumes
To encrypt a FAT volume, which of the following utilities can you use?
a. Microsoft BitLocker,
b. EFS,
c. PGP Whole Disk Encryption,
d. FreeOTFE
c. PGP Whole Disk Encryption
What are the functions of a data run' s field components in an MFT record?
Data runs have three components; the first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned to the data run, an
alternate data streams
Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, alternate data streams become an additional file attribute.
American Standard Code for Information Interchange (ASCII)
An 8-bit coding scheme that assigns numeric values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.
areal density
The number of bits per square inch of a disk platter.
attribute ID
In NTFS, an MFT record field containing metadata about the file or folder and the file's data or links to the file's data.
Boot.ini
A file that specifies the Windows path installation and a variety of other startup
options.
BootSect.dos
If a machine has multiple booting OSs, NTLDR reads BootSect.dos, which is a hidden file, to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr).
bootstrap process
Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
clusters
Storage allocation units composed of groups of sectors. Clusters are 512, 1024, 2048, or 4096 bytes each.
cylinder
A column of tracks on two or more disk platters
data runs
Cluster addresses where files are stored on a drive's partition outside the MFT record. Data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to stor
device drivers
Files containing instructions for the OS for hardware devices, such as the keyboard, mouse, and video card.
drive slack
Unused space in a cluster between the end of an active file and the end of the cluster. It can contain deleted files, deleted e-mail, or file fragments. Drive slack is made up of both file slack and RAM slack. See also file slack and RAM slack.
Encrypting File System (EFS)
A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.
File Allocation Table (FAT)
the original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use the FAT to organize files on a disk so that the OS can find the files it needs. The variati
file slack
The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails
file system
The way files are stored on a disk; gives an OS a road map to data on a disk.
geometry
A disk drive's internal organization of platters, tracks, and sectors.
Hal.dll
The Hardware Abstraction Layer dynamic link library allows the OS kernel to
communicate with hardware
head
The device that reads and writes data to a disk drive.
head and cylinder skew
A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.
High Performance File System (HPFS)
The file system IBM uses for its OS/2 operating system.
Info2 file
In Windows NT through Vista, the control file for the Recycle Bin. It contains
ASCII data, Unicode data, and date and time of deletion.
ISO image
A bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk.
logical addresses
When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers.
logical cluster numbers (LCNs)
The numbers sequentially assigned to each cluster when an NTFS disk partition is created and formatted. The first cluster on an NTFS partition starts at count 0. LCNs become the addresses that allow the MFT to read and write data to the disk's nonresident
Master Boot Record (MBR)
On Windows and DOS computers, this boot disk file contains information about partitions on a disk and their locations, size, and other important items.
Master File Table (MFT)
NTFS uses this database to store and link to files. It contains information about access rights, date and time stamps, system attributes, and other information about files.
metadata
In NTFS, this term refers to information stored in the MFT. See also Master File Table (MFT).
NTBootdd.sys
A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
NT File System (NTFS)
The file system Microsoft created to replace FAT. NTFS uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system. NTFS is used mainly on newer OSs, starting with Windows NT.
NT Loader (Ntldr)
A program located in the root folder of the system partition that loads the OS. See also BootSect.dos.
one-time passphrase
A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires.
partition
A logical drive on a disk. It can be the entire disk or part of the disk.
Partition Boot Sector
The first data set of an NTFS disk. It starts at sector [0] of the disk
drive and can expand up to 16 sectors.
partition gap
Unused space or void between the primary partition and the first logical partition.
personal identity information (PII)
Any information that can be used to create bank or credit card accounts, such as name, home address, Social Security number, and driver's license number.
physical addresses
The actual sectors in which files are located. Sectors reside at the hardware and firmware level.
private key
In encryption, the key used to decrypt the file. The file owner keeps the private key.
public key
In encryption, the key used to encrypt a file; it's held by a certificate authority,
such as a global registry, network server, or company such as VeriSign.
RAM slack
The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the informa
recovery certificate
A method NTFS uses so that a network administrator can recover
encrypted files if the file's user/creator loses the private key encryption code.
Registry
A Windows database containing information about hardware and software configurations, network connections, user preferences, setup information, and other critical information.
Resilient File System (ReFS)
A new file system developed for Windows Server 2012. It allows increased scalability for disk storage and improved features for data recovery and error checking.
sector
A section on a track, typically made up of 512 bytes.
track density
The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.
tracks
Concentric circles on a disk platter where data is stored.
unallocated disk space
Partition disk space that isn't allocated to a file. This space might
contain data from files that have been deleted previously.
Unicode
A character code representation that's replacing ASCII. It's capable of representing more than 64,000 characters and non-European-based languages.
UTF-8 (Unicode Transformation Format)
One of three formats Unicode uses to translate languages for digital representation.
virtual cluster number (VCN)
When a large file is saved in NTFS, it's assigned a logical cluster number specifying a location on the partition. Large files are referred to as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the additional space needed t
virtual hard disk (VHD)
A file representing a system's hard drive that can be booted in a virtualization application and allows running a suspect's computer in a virtual environment.
virtual machines
Emulated computer environments that simulate hardware and can be used for running OSs separate from the physical (host) computer. For example, a computer running Windows Vista could have a virtual Windows 98 OS, allowing the user to switch between OSs.
wear-leveling
An internal firmware feature used in solid-state drives that ensures even wear
of read/writes for all memory cells.
zone bit recording (ZBR)
The method most manufacturers use to deal with a platter's inner tracks being shorter than the outer tracks. Grouping tracks by zones ensures that all tracks hold the same amount of data.