Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
64 Cards in this Set
- Front
- Back
|
FAT File Creation |
1. Directory Entry is created 2. File Allocation Table Clusters are allocated 3. File is stored in the data area of the hard drive |
|
|
FAT File Deletion |
1. File Name in directory is changed so that the first character is HEX E5 (~) 2. File Allocation table is zeroed out and marked as available 3. Data area is untouched |
|
|
NTFS File Creation |
1. Master File Table entry created 2. Data is stored on the hard drive |
|
|
NTFS File Deletion |
1. Information in the MFT is no longer marked as used 2. The data is untouched |
|
|
$MFT |
Arelational database table containing information about all files. Similar to a Table of Contents Every file and directory has an entry that is 1024 bytes If the file is <600 bytes it is stored in the MFT Volume Boot Sector (NTFS) not stored here |
|
|
$MFTMirr |
Duplicate of the first four records in $MFT A partial backup for recoverability |
|
|
$LogFile |
Recoverability feature of NTFS Done when rebooted after a crash Logof all file system metadata changes. Preventsincomplete actions from taking place. Checks for and undo's the actions. |
|
|
$Volume |
Volumename, NTFS version, creation date. Filesize is shown as 0 bytes because the actual file containing the data is in theMFT. (4threcord) Just information about the volume |
|
|
$Bitmap |
Keeps track of used and free clusters |
|
|
Free Cluster Marking |
00 |
|
|
Used Cluster Marking |
FF |
|
|
What does SID do? |
maintains security on files for NTFS gives the owner of files read, write, execute permissions |
|
|
What is SID? |
A security identifier tied to a specific user or group |
|
|
How is SID tied to a user? |
It is tied to the user name in a registry |
|
|
$MFT Entry |
File status located at offset 22 (distance from beginning of object) in the $MFT |
|
|
Deleted File Status |
00 00 |
|
|
Allocated File Status |
01 00 |
|
|
Deleted Directory |
02 00 |
|
|
Allocated Directory |
03 00 |
|
|
Three Attributes every $MFT record has |
1. Standard Information Attribute 2. File Name Attribute 3. Data Attribute |
|
|
SIA |
Standard Information Attribute which contains the date/time stamp for the file or folder Begins at 10 00 00 00 |
|
|
FNA |
File name attribute includes the file name, physical and logical size, in the parent folder Dates and times are set only when file is originally created Begins at 30 00 00 00 |
|
|
DATA |
contains actual file data or points to where data resides Begins at 80 00 00 00 Ends at FF FF FF FF |
|
|
Resident data |
Data is stored in $MFT file size is less that 600 bytes |
|
|
Non Resident Data |
Data is stored on hard drive |
|
|
Data Runs |
listing in the $MFT of clusters allocated to a file |
|
|
NTFS Date/Time Stamps |
Stored in the $MFT Coordinated Universal Time (UTC) |
|
|
FAT Date/Time Stamps |
Stored within folder entries Local computer settings |
|
|
What actions change the "Created" date in NTFS? |
If you move a file from a new volume to another, most of the time “created” will be updated to the new time, but not if you cut and paste this new file will have a created time after it was modified and accessed…. emailing changes to new date |
|
|
What actions change the "Modified" date in NTFS? |
Updated only if you open it AND make changes |
|
|
What actions change the "Last Accessed" date in NTFS? |
NTFS delays updating accessed timestamp by an hour does not need to be opened to updated (antivirus may change this) |
|
|
File System Metadata |
On anNTFS partition, the majority of this information resides in the NTFS InternalFiles (aka metadata files). Filename•Filestatus•Filesize•Parentfolder•Allocatedclusters•Date/Timestamps |
|
|
Application Metadata |
found within file itself different information recorded based on type of file can be changed or deleted by user |
|
|
Data Compression |
Replacing redundant data with a placeholder compressed files/folders shown in blue text saves disk space, whenever file is moved or viewed it is decompressed first and then recompressed |
|
|
Windows Registry |
Ahierarchical database that stores configuration settings and options. Contains Keys (folder), Hives (folder in a key) and Values (file) |
|
|
Six Primary Hives |
1.NTUSER.DAT– One for each user. Containsconfiguration information related to the user. 2.SAM– Security Account Manager. Accountpasswords and access information. 3.SECURITY– Security policies. 4.SOFTWARE– Information related to all software on the computer. 5.SYSTEM– Information related to the computer system. Settings, devices, drivers, etc. 6.HARDWARE– Information related to all hardware in the computer. |
|
|
How to determine when a user logged on |
SAM contains info on when last logon was begins at offset 5 |
|
|
How to determine when a user logged off |
NTUSER.DAT DateCreated indicates when the user account was created. DateModified indicates the last time the user logged off of the system. |
|
|
Where can you see if External Devices have been used? |
1.Registry. \SYSTEM\ControlSet***\Enum\USBSTOR 2. Logfile: setupapi.log or setupapi.dev.log |
|
|
Information Internet Explorer keeps: |
Stored in Index.dat Authentication•Identificationof a user•Userpreferences•Shoppingcart |
|
|
Three main Windows event Logs: |
1. AppEvent.evt – Application events. Events related to software 2. SecEvent.evt – Security events. Related to security and access toresources. Logging on and off of thecomputer. Default setting is that it is NOT enabled. 3. SysEvent.evt – System events. Events related to the operating system. |
|
|
How can you view event logs? |
using Event viewer can be salvaged from unallocated space using file header |
|
|
Link Files |
Shortcutsthat point to another file or folder. Fileextension .LNK. Storedin multiple locations. Last Accessed time indicates when a filewas last run. |
|
|
Prefetch Files |
Files that speed up OS by preloading frequently accessed files (moved from hard drive to memory) Can be used to determine when a program was run C:\Windows\PreFetch extension .pf |
|
|
Thumbnail Cache Files |
Databasefile that contains thumbnail images of pictures on a computer. Thumbs.db or Thumbcache_xxx.db. Ifthe original picture is deleted, the thumbnail image still remains. |
|
|
Printer Files |
1. Shadow Files (.SDH) - Containsadministration information about the print job. File name, user account, printer name. 2. Spool Files (.SPL) - Contains actual data that was printed Once successfully printed, both files are deleted unless configured to be kept |
|
|
Recycle Bin Windows XP |
TheSID subfolder contains the deleted file along with a file named INFO2 When file is deleted: 1. File renamed 2. INFO2 updated chronologically 3. 1.Thefile data remains in the same location on the drive. |
|
|
How to bypass recycle bin? |
Shift Delete |
|
|
File rename when deleted in XP |
Filerenamed in the following manner: Beginswith “D” (deleted) Followedby drive letter of where the file was. Followedby a sequential number. Followed by the original fileextension |
|
|
Recycle Bin Windows 7-10 |
\$Recycle.Bin Subfoldernamed with the User SID. 1.Filerenamed ($R…ext.) 2.Newfile created. ($I…ext.) 3.Filedata remains in the same location on the drive. |
|
|
Pagefile |
virtual memory like RAM, holds temporary info swapped in and out of physical memory anything seen on monitor can be in page file good place for IM conversations |
|
|
Restore Points |
Restorepoints created when a major event occurs (XP) or every 24 hours (Win 7 - 10). C:\SystemVolume Information. Restorepoints can contain data that is not on the current version of the operatingsystem. |
|
|
Cookies |
textiles from websites saved on computer Can Beused by spyware to track your browsing activities or Bestolen and used to impersonate you cannot contain viruses, malware, or be programmed |
|
|
History Files for IE, FireFox and Chrome |
IE - Content.IE5 FireFox - places.sqlite Chrome - sqlite |
|
|
Tie a picture to a Facebook account |
2nd of 3 number blocks or 3 of 5 number blocks |
|
|
Bitlocker |
Encryption key is stored on Trusted Platform Module and must be booted from original computer encrypts entire volumes |
|
|
Encrypting File System |
Encryptsa user’s folders and files. Encryptionkey tied to user name and password. Encryptedfiles/folders displayed in green text. |
|
|
Raid Arrays |
RedundantArray of Inexpensive Disks. Agroup of hard drives that function as one hard drive. |
|
|
3 main raid arrays: |
Raid 0: Two or more drives, data striped to all drives so efficient but can lose all data Raid 1: Two or more drives, mirrored on both, slow but don't risk losing data Raid 5: Threeor more drives. Data is striped acrossall drives with redundancy. Good speedand recoverability if one of the drives fails. A Raid 5 can rebuild itself. |
|
|
IP |
Internet Protocol - An IPaddress is a numerical labelassigned to every device on a network. ipconfig -all in command line |
|
|
DHCP |
Dynamic Host Configuration Protocol ADHCP server holds a pool of addresses and distributes them to computers as they get on the network. Process: Broadcast, Offer, Request, Acknowledge |
|
|
Trace route of IP address |
tracert www.google.com |
|
|
Reading an email header: |
Textin the email message that keeps track of the route that the email took fromSender to Recipient. Eachemail server that the email passes through adds information to the header. Thisinformation includes to/from, email address, content type, time stamps, and IPaddress. Emailheaders are read beginning at the bottom and reading up. |
|
|
Options for imaging a mac: |
remove the hard drive and image with FTK Imager or any other imaging tool boot the suspect computer in Target Disk Mode Boot the suspect computer to a Linux based forensic boot disk such as Raptor |
