is composed of the unused space in a cluster between the end of an active file’s content and the end of the cluster.
Someone who wants to hide data can create hidden partitions or voids large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
What term below describes a column of tracks on two or more disk platters?
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.
What registry file contains installed programs’ settings and associated usernames and passwords?
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the “if=” portion of thedcfldd command?
are made up of one or more platters coated with magnetic material, and data is stored in a particular way.
The ImageUSB utility can be used to create a bootable flash drive.
A typical disk drive stores how many bytes in a single sector?
What term is used to describe a disk’s logical structure of platters, tracks, and sectors?
When two files with different contents generate the same digital fingerprint using a hashing function, a(n) ____________ has occurred.
A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive.
FAT32 is used on older Microsoft OSs, such as MSDOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.
The ______________ is the device that reads and writes data to a drive.
What is the dd command?
What command below can be used to decrypt EFS files?
What registry file contains user account management and security settings?
software can sometimes be used to decrypt a drive that is utilizing whole disk encryption.
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?
FTK Imager software can acquire a drive’s host protected area.
Which option below is not a hashing function used for validation checks?
The purpose of a ______________ is to provide a mechanism for recovering files encrypted with EFS if there’s a problem with the user’s original private key.