1) You are using a Windows PC on an NTFS drive. You create and
save a 450 byte graphics file. Where is the data for that file
written?
-
a) In the first available cluster on the drive
b) In the $Bitmap
c) In the $DATA attribute of the $MFT
d) In the MBR
-
2) You are conducting an examination of a laptop. You remove the
hard drive from the laptop and collect an image of the drive on
forensically sterile media. This image is referred to as:
-
a) working copy
b) best evidence
c) volatile data
d) custodial evidence
-
3) When a file is deleted from a FAT volume, what happens to the
directory entry for the file?
-
a) The directory entry for the file is immediately purged.
b) The 8.3 filename is purged but the long filename is left
intact.
c) The directory entry for the file is marked with the EOF
code.
d) The first character of the file’s short name in the directory is
replaced with the hex value E5 (ASCII σ)
1) You are using a Windows PC on an NTFS drive. You create and save a 450 byte graphics file. Where is the data for that file written?
Answer:c) In the $DATA attribute of the $MFT
Explanation:The files with size lesser than 900 bytes are stored within the MFT.
2) You are conducting an examination of a laptop. You remove the hard drive from the laptop and collect an image of the drive on forensically sterile media. This image is referred to as:
Answer:a) working copy
Explanation:Here copy is made on media which is taken from the drive.
3) When a file is deleted from a FAT volume, what happens to the directory entry for the file?
Answer:d) The first character of the file’s short name in the directory is replaced with the hex value E5 (ASCII σ)
Explanation:Doing such tells the operating system that the file need to be deleted or ignored.
Get Answers For Free
Most questions answered within 1 hours.