Chapter 5: Working with Windows and CLI Systems

________ is designed for an enterprise computing environment.

________ can be used on PCs, laptops, and removable media to secure an entire disk volume.

________ is designed for x64 computers and uses GUID Partition Table (GPT)- formatted disks.

________ and other solid- state drive systems are different, in that memory cells shift data at the physical level to other cells that have had fewer reads and write continuously.

The physical address ________ for accessing more than 4 GB of physical RAM.

Clusters are numbered sequentially, starting at 0 in ________ and 2 in FAT.

If a system has multiple boot OSs, including older ones such as Windows 9x or ________, Ntldr reads BootSect.dos (a hidden file), which contains the address of each OS.

All Windows 8 and 10 boot processes are designed to run on ________, ranging from desktop or laptop systems to tablets and smartphones.

The virtual machine recognizes ________ of the host computer its loaded on.

In an effort to reduce the relationship with firmware, ________ developed UEFI, which defines the interface between a computers firmware and the OS.

ReFS is designed to address very ________ needs, such as the cloud.

When dealing with ________, making a full forensic copy as soon as possible is crucial in case you need to recover data from unallocated disk space.

________ is designed for x86 computers and is typically used on disk drives with Master Boot Records (MBRs)

The system keeps ________ such as file deleting or saving.

When data is first written to nonresident files, a(n) ________ address is assigned to the file in the attribute 0x80 field of the MFT.

Encrypted files arent part of the ________, FAT16, or FAT32 file systems, so cipher command works only on NTFS systems running Windows 2000 Professional or later.

It was originally designed for ________ 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB.

________ are designed to perform only 10, 000 to 100, 000 reads /writes, depending on the manufacturers design.

________ specifies the Windows XP path installation and contains options for selecting the Windows version.

When ________ is used in Windows 2000 and later, a recovery certificate is generated and sent to the local Windows administrator account.

________: Concentric circles on a disk platter where data is located.

________: A key displayed under another key, similar to a subfolder in Windows or File Explorer.

________ (LCNs): Are sequentially numbered from the beginning of the disk partition, starting with the value 0.

Windows changes the filename and moves the file to a subdirectory with a(n) ________ in the Recycle Bin.

When the ________ is made, Ntldr runs NTDetect.com, a 16- bit real- mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.

In ________, virtual machines make it possible to restore a suspect drive on a virtual machine and run nonstandard software the suspect might have loaded, for example.

To recover an encrypted EFS file, a user can e- mail it or copy the file to the administrator, who can then run the ________ function to restore the file.

________: Gives an OS a road map to data on a disk.

It contains ________, Unicode data, and the date and time of deletion for each file or folder.

When data is deleted on a(n) ________, only the references to it are removed, which leaves the original data in unallocated disk space.

Unallocated ________: The area of the disk where the deleted file resides.

In ________ and later, the boot process uses a boot configuration data (BCD) store.

A run- list is maintained in the MFT of all ________ on the disk for nonresident files.

It supports ________ with a maximum storage capacity of 4 GB.

________ information about the original path and filename in the Info2 file, which is the control file for the Recycle Bin.

The ________ is limited by the host computers OS, which might block certain operations.

Gives an OS a road map to data on a disk

Refers to a disks logical structure of platters, tracks, and sectors

The device that reads and writes data to a drive

Concentric circles on a disk platter where data is located

A column of tracks on two or more disk platters

A section on a track, usually made up of 512 bytes

It is how most manufacturers deal with a platters inner tracks having a smaller circumference (and, therefore, less space to store data) than its outer tracks

The space between each track

The number of bits in one square inch of a disk platter

Used to improve disk performance

Storage allocation units of one or more sectors

Cluster numbers

A logical drive

The file structure database that Microsoft designed for floppy disks

Composed of the unused space in a cluster between the end of an active files content and the end of the cluster

The remaining sectors in the last assigned cluster

The area of the disk where the deleted file resides

The first data set on an NTFS disk

The first file on an NTFS disk

Records in the MFT

All information stored in the MFT record

Are sequentially numbered from the beginning of the disk partition, starting with the value 0

added by Microsoft as optional built-in encryption to NTFS when they introduced Windows 2000

These two commands are available from a command prompt

With the release of Windows Server 2012, Microsoft created a new file system called __________.

A database that stores hardware and software configuration information, network connections, user preferences, and setup information

A hierarchical database containing system and user information

A Windows utility for viewing and modifying data in the Registry

Two Registry Editors

Folders in each HKEY

A key displayed under another key, similar to a subfolder in Windows or File Explorer

A name and value in a key; its similar to a file and its data content

All keys have a ______ that may or may not contain data

These are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE

The Windows Boot Manager program controls boot flow and allows booting multiple OSs, such as booting Vista along with XP

The Windows Vista OS loader installs the kernel and the Hardware Abstraction Layer (HAL) and loads memory with the necessary boot drivers

This tool restarts Vista after the OS goes into hibernation mode

The device driver that allows the OS to communicate with SCSI or ATA drives that arent related to the BIOS

The Windows XP OS kernel, located in the systemroot/Windows/ System32 folder

The Hardware Abstraction Layer (HAL) dynamic link library, located in the systemroot/Windows/System32 folder

Contains hardware settings, such as RAM, network configurations, port settings, and so on

Contains the boot loader program, OS files, and users data files

_______ provides WDE for older MS-DOS and current Windows systems.

EFI is designed for x64 computers and uses ______ –formatted disks.

When data is rotated to another memory cell, the old memory cell addresses are listed in a firmware file called a “______.”

Sector numbers.

The unused space between partitions.

All information stored outside MFT record.

When data is first written to nonresident files, an LCN address is assigned to the file in the attribute 0x80 field of the MFT. This LCN becomes the file’s ______.

_____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\ Drivers folder.

A computer stores system configuration and date and time information in the _____ when power to the system is off.

Tells the computer how to proceed.

This version is used specifically for floppy disks, so it has a limited amount of storage space.

Developed by Microsoft to handle larger disks, it is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 and Windows NT 3.5 and 4.0.

It supports disk partitions with a maximum storage capacity of 4 GB.

When disk technology improved and disks larger than 2 GB were developed, Microsoft released FAT32, which can access larger drives.

Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks.

Developed to handle files with more than eight-character filenames and three-character extensions; introduced with Windows 95.

Composed of the unused space in a cluster between the end of an active file’s content and the end of the cluster.

The portion of the last sector used in the last assigned cluster.

The remaining sectors in the last assigned cluster.

The NTFS design was partially based on, and incorporated many features from, Microsoft’s project for IBM with the OS/2 operating system; in this OS, the file system was ______.

An international data format.

It uses an 8-bit (UTF-8), 16-bit (UTF-16) or a 32-bit (UTF-32) configuration.

For Western-language alphabetic characters, UTF-8 is identical to _____.

Base file record for each folder on the NTFS volume; other record positions in the MFT are allocated if more space is needed.