Forensics Fundamentals Multiple Choice Questions 1-25

April 29, 2018

Remember that you must enter the answers to your questions in Canvas. This file has been provided to allow

you to perform the hands-on tasks before starting the Canvas quiz. Also remember that this is a test, and you

are required to do your own work. It’s open book and open note, but you must NOT collaborate with any other

students, or receive outside assistance.

 

1. This is a “real” test, which means you must do your own work. It’s an open book test, so you can use any

resources such as books, your notes, or the computer. However, you must do your own work. This means

that you must not ask other students, instructors, acquaintances, paid consultants, Facebook friend s, etc.

for help. Any violations of the CBC Academic Honesty Policy will result in a failing grade for the course.

(NOTE – There are several question on this test that require looking up data, such as the speed of various

memory types. If you don’t want to memorize this information you can look it up.)

If you use any Internet resources, make sure that you do NOT copy and paste information unless

instructed. You can use the Internet, but you must put all answers in your own words. You will receive no

credit for any answers with copied material.

 

The test must be completed by 11:59 on the due date to receive full credit. Late tests will be accepted, but

only for seven calendar days after the original due date. Late tests will automatically lose 10 points. La te

tests will not be accepted after 7 days and you will fail the class.

A. I agree

B. I disagree

 

2. What is Registry?

A. A hierarchical database used by every computer to store settings and data

B. A hierarchical database used by computers running Windows to store settings and data

C. A relational database used by every computer to store settings and data

D. A relational database used by computers running Windows to store settings and data

 

3. True or False. Any program that runs on Windows will store all of i t’s data in registry.

1. True

2. False

 

4. Which of the following methods can be used to add or change registry data?

1. Use regedit to manually create or edit a registry key

2. Use a program such as any application in Windows Control Panel

3. Write a program that uses one the registry API functions

4. All of the above

 

5. True or False. All of the data in registry is stored in files when Windows shuts down gracefully.

1. True

2. False

 

6. Which registry key holds the list of URLs the currently logged on user typed into Internet Explorer? (Note

– HK is an abbreviation for HKEY)

1. HK_CLASSES_ROOT\Software\Microsoft\Internet Explorer\TypedUrls

2. HK_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TypedUrls

3. HK_CURRENT_CONFIG\Software\Microsoft\Internet Explorer\TypedUrls

4. HK_ USERs\Software\Microsoft\Internet Explorer\TypedUrls

5. HK_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls

6. None of the above

 

 

 

April 29, 2018

7. Which registry key would you use to discover the SID associated with a particular user? (Note – HK is an

abbreviation for HKEY)

1. HK_LOCAL_MACHINE\SAM\Domains\Users

2. HK_LOCAL_MACHINE\SAM\Domains\Account\Users

3. HK_LOCAL_MACHINE\SAM\Domains\SIDList

4. HK_LOCAL_MACHINE\SAM\Domains\Account\SIDList

5. HK_LOCAL_MACHINE\SAM\Domains\Account\Users\SIDList

6. None of the above

 

8. What of the following web sites contains an easy to use reference of every registry key?

1. MSDN (Microsoft Developer Network)

2. Registrywiki.org

3. Forensicswiki.org

4. Wikipedia.org

5. None of the above

 

9. Which of the following is true regarding the different versions of Microsoft Windows and the registry

hives, keys and values?

1. There have been no changes to the registry hives, keys or values between versions of Windows

2. Each version of Windows uses a completely different set of registry hives , keys and values

3. Each time Microsoft releases a new version of Windows they have tried to maintain the structure

of registry as much as possible. However there have been some situations where changes were

necessary and had to be made

4. Each time Microsoft releases a new version of Windows they kept the main registry hives but a

majority of the keys change in each release.

 

10. Which of the following is true regarding the different versions of Microsoft Windows and the files used to

store registry?

1. There have been no changes to the files between versions of Windows

2. Each version of Windows uses a completely different set of registry files

3. There were major changes introduced with Windows 7. That is, the file names and locations are

significantly different between Windows 7 and Vista.

4. There were major changes introduced with Windows Vista. That is, the file names and locations

are significantly different between XP and Vista.

5. There were major changes introduced with Windows XP. That is, the file names and locations are

significantly different between XP and Windows 98.

 

11. Which of the main registry hives holds information about extensions of all registered file types, OLE

objects and COM servers? Other hives may hold small pieces of this information, however you should

choose the hive whose main purpose is to hold this information.

1. HKEY_CLASSES_ROOT

2. HKEY_CURRENT_USER

3. HKEY_LOCAL_MACHINE

4. HKEY_USERS

5. HKEY_CURRENT_CONFIG

6. None of the above

 

12. Which of the main registry hives stores settings which are specific to the currently logged-in user (Windows

Start menu, desktop, etc.)?

1. HKEY_CLASSES_ROOT

2. HKEY_CURRENT_USER

3. HKEY_LOCAL_MACHINE

 

 

April 29, 2018

4. HKEY_USERS

5. HKEY_CURRENT_CONFIG

6. None of the above

 

13. Which of the main registry hives holds information about installed applications, settings; along with

information about any hardware that has ever been connected to the computer including the type of bus,

total size of available memory, list of currently loaded device drivers and information about Windows

startup?

1. HKEY_CLASSES_ROOT

2. HKEY_CURRENT_USER

3. HKEY_LOCAL_MACHINE

4. HKEY_USERS

5. HKEY_CURRENT_CONFIG

6. None of the above

 

 

14. In Windows XP and later, what is the name of the main registry hive that holds dynamic data such as the

current CPU usage?

1. HKEY_CLASSES_ROOT

2. HKEY_CURRENT_USER

3. HKEY_LOCAL_MACHINE

4. HKEY_USERS

5. HKEY_CURRENT_CONFIG

6. None of the above

 

15. True or False. All of the information in HKEY_LOCAL_MACHINE is stored in the SYSTEM file when

Windows shuts down.

1. True

2. False

 

16. True or False. The information in HKEY_CURRENT_CONFIG is actually part of

HKEY_LOCAL_MACHINE, so it is not stored in a separate file when Windows shuts down.

1. True

2. False

 

17. Which of the following is true regarding the data in HKEY_CURRENT_USER? (You can assume

Windows Vista and later).

1. The information is always stored in %UserProfile%\Users\UserName\NTUser.Dat

2. The information is always stored in %UserProfile%\Users\AppData\UserName\NTUser.Dat

3. The information is stored in %UserProfile%\Users\UserName\NTUser.Dat unless the user account

is an Active Directory (network) account set up for roaming. In this case the information will be

stored in the NTUser.Dat in the user’s home directory on the network.

4. The information is stored in %UserProfile%\Users\UserName\AppData\NTUser.Dat unless the

user account is an Active Directory (network) account set up for roaming. In this case the

information will be stored in the NTUser.Dat in the user’s home directory on the network.

 

18. Which of the following files holds information about all installed programs and their settings? (You can

assume Windows Vista and later)

1. SAM

2. SECURITY

3. SOFTWARE

4. SYSTEM

 

 

April 29, 2018

5. PROGRAMS

 

19. Assume you are using regedit. Which of the following subhives will you be unable to view? (Hint – there

are multiple answers)

1. SAM

2. SECURITY

3. SOFTWARE

4. SYSTEM

5. PROGRAMS

 

20. Which of the main registry hives holds the settings and data for any user that has ever been created on the

computer?

A. HKEY_CLASSES_ROOT

B. HKEY_CURRENT_USER

C. HKEY_LOCAL_MACHINE

D. HKEY_USERS

E. HKEY_CURRENT_CONFIG

F. None of the above

 

 

21. Which of the following files holds the information about user accounts such as usernames, login times,

etc.? (You can assume Windows Vista and later)

A. SAM

B. SECURITY

C. SOFTWARE

D. SYSTEM

E. PROGRAMS

 

22. Why does Windows prevent regedit from displaying the information in the protected subhives?

A. To prevent users from overclocking the CPU or making other unauthorized and potentially

hazardous changes to hardware

B. To prevent users from making changes to their Windows licensing information

C. To prevent users from viewing information about user passwords and encrypted files and folders

D. None of the above

 

23. True or False. If the AccessData Registry Viewer is installed, it can be started from within FTK to read

registry files from the current case, or it can be run separately from FTK to read files external to a case .

A. True

B. False

 

24. Assume you have copies of the registry files, SAM, SECURITY, etc. In other words these files are NOT

in an image. Which program would you use to inspect the files?

A. FTK

B. FTK Imager

C. AccessData Registry Viewer

D. Regedit

E. Any of the above

 

25. Where does Windows store copies of registry made with the System Restore utility?

A. %SystemRoot%\Repair

 

 

April 29, 2018

B. %SystemRoot%\System32\config\RegBack (or %SystemRoot%\Repair for XP and older)

C. %SystemRoot%\RegBack (or %SystemRoot%\Repair for XP and older)

D. %SystemRoot%\$NTRestore

E. %SystemRoot%\$NTSysRestore

 

26. Use the image stringsTest2Image.AD1 to answer this question. What is the MD5 hash value for the image? Hint – use FTK Imager to view the MD5 digest value.

A. e4e732d5cfd795855a31ee74820d09f3 B. 43b34a4edaa34fa23b8a26da2245b45 C. 7c138f146b63416734dc376d8cb7c4a0 D. ead2d7516987edd3413bbbb31c4e333 E. None of the above

27. Use the image stringsTest1Image.AD1 to answer this question. Which file contains a list of stolen credit card numbers? Enter your answer in the same case as the actual file. Hint – search for the credit card pattern.

 

 

28. Use the image stringsTest1Image.AD1 to answer this question. Which file contains a list of usernames and passwords? Enter your answer in the same case as the actual file. Hint – search for the words “username” and

“password”

 

29. Use the image stringsTest1Image.AD1 to answer this question. Which file contains a list of stolen social security numbers? Enter your answer in the same case as the actual file.

 

30. Use the image stringsTest1Image.AD1 to answer this question. What is the correct file extension (or file type) for the file you found in the previous question?

A. .doc (word document) B. .xls (excel speadsheet) C. .rtf (rich text format) D. .txt (plain text document)

31. Use the image nixonSmall.E01 to answer this question . What is the total number of files in the image? Write your answer as a number, not a word. For example, if there are 4 files write 4, not four.

 

32. Use the image nixonSmall.E01 to answer this question . How many files have the wrong extension? Write your answer as a number, not a word. For example, if there are 4 files write 4, not four.

 

33. Use the image nixonSmall.E01 to answer this question. What is the correct file type for the file acceptance test list.mp3?

A. Executable File B. GIF File C. Word Document D. Excel Spreadsheet E. Database File F. Adobe Photoshop File G. JPEG/JFIF File H. ZIP Archive I. Hypertext Document J. Bitmap File K. PowerPoint File L. PDF File M. Plain Text File

 

34. Use the image nixonSmall.E01 to answer this question. What is the correct file type for the file careers1.txt? A. Executable File

 

 

April 29, 2018

B. GIF File C. Word Document D. Excel Spreadsheet E. Database File F. Adobe Photoshop File G. JPEG/JFIF File H. ZIP Archive I. Hypertext Document J. Bitmap File K. PowerPoint File L. PDF File M. Plain Text File

35. Use the image nixonSmall.E01 to answer this question. The files acceptance test list.mp3 and careers1.txt are both in the same user’s home directory. Which user is this?

A. Nixon B. Chucky C. Colonel Palmer D. Sandman E. Marko

 

36. Use the image nixonSmall.E01 to answer this question. Which user has the SID 1005? A. chucky B. nixon C. sandman D. Administrator E. None of the above

 

37. Use the image nixonSmall.E01 to answer this question. When was the last time the user nixon logged onto the system? (You can leave the time in UTC format, you don’t have to convert to local time)

A. 3/19/2014 13:53:47 UTC B. 3/19/2014 13:36:16 UTC C. 3/19/2014 13:53:450 UTC D. 11/12/2013 12:21:03 UTC

 

38. Use the files in the folder domex to answer this question. How many total user accounts are there? (Include all of the accounts including Administrator, Guest etc. but NOT the alias in your answer.)

 

39. Use the files in the folder domex to answer this question. What is the SID for the user domex2?

40. Use the files in the folder domex to answer this question. What is the Login Count for the user Administrator?

41. Use the files in the folder domex to answer this question. What time zone is Windows set to use? A. Eastern B. Central C. Mountain D. Pacific

 

42. Use the files in the folder domex to answer this question. Which of the following URLs did the user domex2 type in Internet Explorer?

A. http://www.google.com B. http://www.hotmail.com C. http://www.gmail.com D. All of the above

 

 

 

 

April 29, 2018