Term
| Systems, users, applications and hardware in Windows make use of what to store their configuration and is constantly accesses for reference during their operation? |
|
Definition
|
|
Term
| What kind of database is the Windows Registry? |
|
Definition
|
|
Term
| Describe The Windows Registry |
|
Definition
| Central Repository For Configuration Data |
|
|
Term
| What is another way of saying that information could be helpful for forensic examiners? |
|
Definition
| Potential Evidential Value |
|
|
Term
| How are settings referenced in a hierarchical structure? |
|
Definition
| Using paths similar to file paths in Windows. |
|
|
Term
| What are computer accounts, user accounts, groups and other security related objects? |
|
Definition
|
|
Term
|
Definition
|
|
Term
| What does a SID always start with? |
|
Definition
|
|
Term
| What is the first number in a SID? |
|
Definition
|
|
Term
| What is the Second Number in a SID? |
|
Definition
| Indicates the identifier authority |
|
|
Term
| What does 5 as an identifier authority usually represent? |
|
Definition
|
|
Term
| What are numbers that uniquely identify objects such as computers, program components, and devices? |
|
Definition
|
|
Term
| What Does GUID stand for? |
|
Definition
| Globally Unique Identifiers |
|
|
Term
| How are GUIDs structured? |
|
Definition
16‐byte hexadecimal numbers in groups of 4, 2, 2, 2, and 6 bytes.
A dash divides each group of digits, and curly brackets enclose the whole number. |
|
|
Term
| What Are The 5 Root Keys? |
|
Definition
HKEY_CLASSES_ROOT (HKCR)
HKEY_CURRENT_USER (HKCU)
HKEY_LOCAL_MACHINE (HKLM)
HKEY_USERS (HKU)
HKEY_CURRENT_CONFIG (HKCC) |
|
|
Term
|
Definition
| Windows Explorer cannot see inside the registry, so we have to use it to see file rootkeys. |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
| Key in Registry Structure is similar to what in a Windows File System? |
|
Definition
|
|
Term
| Value in Registry Structure is similar to what in a Windows File System? |
|
Definition
|
|
Term
| Value Name in Registry Structure is similar to what in a Windows File System? |
|
Definition
|
|
Term
| Type in Registry Structure is similar to what in a Windows File System? |
|
Definition
|
|
Term
| Data in Registry Structure is similar to what in a Windows File System? |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
| Contains Information On Installed Hardware and Software |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
| What are registry branches stored in unique files? |
|
Definition
|
|
Term
| Hives are specific branches in what two Root Keys? |
|
Definition
| HKEY_USER and HKEY_LOCAL_MACHINE |
|
|
Term
|
Definition
Extension Description:
Hive File |
|
|
Term
|
Definition
Extension Description:
In Windows 2000, System.alt is a back-up of the System hive file. |
|
|
Term
|
Definition
Extension Description:
Transaction log of changes to a hive. |
|
|
Term
|
Definition
Extension Description:
Copy of a hive file made at the end of the text mode phase of the Windows set-up program. |
|
|
Term
| What is a collection of files containing system and user information? |
|
Definition
|
|
Term
| What is a Windows utility for viewing and modifying data in the Registry? |
|
Definition
|
|
Term
| What is a category of a registry? |
|
Definition
|
|
Term
| What are folders inside of a HKEY? |
|
Definition
|
|
Term
| What is a key displayed under another key? |
|
Definition
|
|
Term
| What is a key and its contents, including subkeys? |
|
Definition
|
|
Term
| What is a name and data in a key? |
|
Definition
|
|
Term
| What is the abbreviation for most-recently-used? |
|
Definition
|
|
Term
What is the function of this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidMRU (\OpenSaveMRU in XP) |
|
Definition
| Maintains a list of recently opened or saved files via typical Windows Explorer‐style common dialog boxes. |
|
|
Term
What is the function of this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidMRU (\LastVisitedMRU in XP) |
|
Definition
| Correlates to the previous OpenSaveMRU key to provide extra information. |
|
|
Term
Each binary registry value under the following key contains what?:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidMRU (\LastVisitedMRU in XP) |
|
Definition
| A recently used program executable filename, and the folder path of a file to which the program has been used to open or save it. |
|
|
Term
What does the following key maintain:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
|
Definition
| List of files recently executed or opened through Windows Explorer. |
|
|
Term
What does the following key correspond to:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
|
Definition
| %USERPROFILE%\Recent (My Recent Documents). |
|
|
Term
What does the following key maintain:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU |
|
Definition
| A list of entries executed using the Start>Run commands. |
|
|
Term
| What does the MRUList value maintain? |
|
Definition
| A list of alphabets which refer to the respective values. The alphabets are arranged according to the order the entries is being added. |
|
|
Term
What does the following key contain:
HKCU\Software\Microsoft\Internet Explorer\TypedURLs |
|
Definition
| Listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer address bar. |
|
|
Term
What does the following key maintain:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management |
|
Definition
| Windows virtual memory (paging file) configuration. |
|
|
Term
What does the following key contain:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management |
|
Definition
| A registry value called ClearPagefileAtShutdown. |
|
|
Term
What specifies whether Windows should clear off the paging file when the computer shutdowns?
What file should a forensic investigator always check before shutdown during evidence collection? |
|
Definition
|
|
Term
What is each subkey in the following key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
|
Definition
| An installed program in the computer. |
|
|
Term
| All programs listed in Control Panel>Add/Remove Programs correspond to one of the listed subkeys for what Registry Key? |
|
Definition
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
|
|
Term
Each subkey of the following registry key contains what?:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
|
Definition
| Display Name and UninstallString |
|
|
Term
| What is the file path for a file's uninstall program? |
|
Definition
|
|
Term
What does this key contain:
HKLM \SYSTEM\MountedDevices |
|
Definition
|
|
Term
What does this key contain:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR |
|
Definition
| List of mounted USB storage devices |
|
|
Term
| What is a tool that automates the viewing of USB device history for Windows 2000/XP/2003/Vista systems that can recover the device name, description, last plug/unplug date & time, and serial number? |
|
Definition
|
|
