Questions on File Systems and Windows Forensics.

Below you will find questions that test your knowledge on this subject. I wrote them while I read material mainly from books in file systems and Windows Forensics.

The questions are not meant to be exhaustive and they might even overlap. Please note that this work is in progress. In other words it is about to change, corrected and enhanced in the near, hopefully, future.

1. What is a Master Boot Record (MBR)?
2. Explain how a Partition Table works.
3. What is a Volume Boot Record (VBR)?
4. Explain what is meant by a “Sector”
5. Explain what is meant by the term “Cluster.”
6. In the FAT File System, what is the Root Directory and what one entry can only be found in the Root Directory
7. What is File Slack? Include in your explanation a distinction between RAM slack and Residual slack
8. Explain the difference between a Contiguous file and a Fragmented file?
9. What happens when a file is deleted in a FAT16 File System?
10. Describe what EXIF data is?
11. Define the term Metadata and
12. Define the terms Little Endian and Big Endian.
13. Explain what a “DD” file is.
14. How many drive letters would be assigned by the Operating System if there are 5 Extended Logical Partitions in the Extended Primary Partition
15. What is a major difference between FAT12/16 and FAT32 that occurs during formatting?
16. What are the common names of the areas created when a volume is formatted with the FAT32 file system and what are the contents of the areas
17. What is volume slack
18. What is a pagefile.sys file and what does the Windows operating system use this file for? Include in your answer if this file would be of interest to the examiner and if so what information might it contain
19. What is a hiberfil.sys file and what does the windows operating system use this file for? Include in your answer if this file would be of interest to the examiner and if so what information might it contain?
20. Where would you find Internet history records for Internet Explorer (version 8 or greater) in the Windows 7 operating systems? State the full path.
21. In a FAT 32 file system is the Data area part of the system area?
22. What is a basic file system designed to do and how does it accomplish these tasks
23. What are some important differences when comparing FAT and NTFS?
24. How does NTFS create and delete files
25. How does NTFS track fragmentation
26. What is meant when an NTFS Attribute is “Resident” and “Non-Resident”?
27. In a Windows 7 Operating System can a formerly resident attribute content that becomes non-resident, become resident again?
28. NTFS Date and Time Stamps: Describe how they are stored and state how they are written?
29. Define what is meant by File Type Flags? What attribute are they stored in? At what offset within the attribute?
30. At what offset within the header of a $MFT File Record entry is the $MFT Record Allocation Status located? How many bytes in length is it
31. What is an orphaned file
32. How do you determine if a child is pointing back to a legitimate parent?
33. Why is it important for an examiner to know about orphaned files
34. What is an Alternate data stream (ADS) in NTFS
35. What is media sterilization?
36. When should media sterilization be done and why?
37. What algorithm should be used to verify sterile media? Explain why this particular algorithm has an advantage over other algorithms when verifying sterile media.
38. Explain what a forensic backup is.
39. Explain how from Registry we can determine the UTC time of a file in FAT
40. What are System restore points.
41. What are Shadow Volume Copies (VSC).
42. Registry key for disabling VSC.
43. DOS command to list VSC.
44. DOS command to mount VSC.
45. What is a VHD file.
46. How to mount an acquired image to access VSC.
47. Explain what UserAssist keys are and where they are located in registry.
48. How to acquire a mounted VSC.
49. What is the $MFT.
50. Explain the role of each temporal attribute of the $SIA attribute.
51. Explain the role of each temporal attribute of the $FNA attribute.
52. When file contents are resident in the $MFT.
53. What is an $EA attribute within the $MFT.
54. At what attribute $ADS are stored in the $MFT.
55. What happens to its timestamps when a file is copied within the same partition.
56. What happens to its timestamps when a file is moved within the same partition.
57. Explain a possible of tampering timestamps and how it could be detected.
58. Explain what is file tunneling.
59. What is $LogFile and what information holds.
60. Describe the format that event logs are preserved in Windows versions up to XP.
61. Explain how would you recover deleted event log entries.
62. Where Windows Event Logs are stored, their file extension
63. Explain how you would access the Windows Event Logs of an acquired image.
64. How Recycle Bin is able to restore a deleted file?
65. Explain the naming scheme in a file located at Recyble Bin.
66. What is INFO2 index, what attributes keeps stored.
67. Explains what happens to a file that is normally deleted in Vista and later Window OS.
68. Describe the differences of Recycle Bins among XP and Vista or later.
69. What is Windows prefetch technology and where the artifacts are located.
70. What artifacts a prefetch file can contain.
71. What are Scheduled Tasks and where are they stored in Windows 7 and later and Vista and previously.
72. What kind of information can be extracted from a task.
73. What are Jump lists, where are the located, what is their naming.
74. How data is stored inside the Jump lists.
75. Difference of AutomaticDestinations and CustomDestinations and how they are created.
76. When hibernation files are used.
77. What is Registry and how affects the operation of Windows.
78. How registry is structured.
79. What keys of which hives are affected when user plugs/unplugs a USB device.
80. At what key the USB device serial is found and when LastWriteTime of key is updated.
81. How can we determine that the Unique instance ID of the device is assigned by Windows.
82. How can you determine which letter and the volume GUID which was assigned to a USB device.
83. How can we determine when the device was first connected and last connected during one boot session
84. what is the drive signature where it is located.
85. How do I determine the Control Set being used by Windows.
86. What kind of information does the SYSTEM hive holds.
87. How you can find out if a software was installed on a Windows system based on analyzing Registry hive files.
88. Explain how you will find out the default program that is set to open specific file extensions.
89. What kind of network based information can be extracted from the Registry.
90. Describe most important artifacts of Scheduled tasks found at Registry.
91. Where are searches performed on the search bar are stored in Registry (Windows 7 and later)
92. What is the use of Shellbags in Windows and what keys are located at Windows XP and Windows Vista or later.
93. What is the forensic importance of MUICache key and where is located in the Registry.
94. What is the purpose of UserAssist keys, and what kind of information you can extract from them.
95. What are TypedPaths.
96. Every how many days Windows backups registry hives.
97. What is time stomping, and how can be detected?
98. Explain the FILETIME structure in windows, at what $MFT attributes exists.
99. What kind of information the subkey TypedURLS contains and where it is located in the registry.
100. What types of devices exist in Linux and where they reside.
101. How in Linux can you work with images.
102. How FUSE works.
103. How to mount images in Linux.
104. Explain the forensic implications of a hard link and a soft link.
105. Difference between static and dynamic linking of binaries.
106. Explain the setuid mechanism used in Linux.
107. Where to check for persistence in Linux.
108. Where to check for persistence in Windows.
109. What is Domain fast-flux attack.
110. How can you correlate user SID with Username in Windows.