An operating system artifact can be defined as which of the following?
Operating system artifacts serve as information used by the computer to fulfill certain user-and system-specific requirements and needs.
A FAT file system stores date and time stamps in ___ , whereas the NTFS file system stores date and time stamps in ___ .
A FAT file system stores date and time stamps in local time while the NTFS file system stores date and time stamps in GMT.
The date and time of when a file was sent to the Recycle Bin can be found where?
When a file is sent to the Recycle Bin, the date and time of when the file was deleted is saved in the INFO2 file. If it is a Windows Vista Recycle Bin, the date and time when the file was deleted is saved in the $I index file that corresponds with the deleted file.
When a text file is sent a pre-Windows Vista recycle Bin, Windows changes the short file name of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted file name.
When a file is sent to the Recycle Bin, Windows changes the short file name to D for Deleted, followed by the drive letter and the index number. The file extension for the deleted file remains the same.
When a document is opened, a link file bearing the document's file name is created in the ___ folder.
When a user opens a document, a link file bearing the document's file name is created in the Recent folder.
Link files are shortcuts or pointers to actual items. These actual items can be what?
Link files are shortcuts to a variety of items such as programs, documents, folders, and devices such as removable media.
In NTFS, information unique to a specific user is stored in the ___ file.
In NTFS, information unique to a specific user is stored in the NTUSER.DAT file.
In Windows XP or Windows Vista, by default, how many recently opened documents are displayed in the My Recent Documents or Recent Items folder?
By default, the My Recent Documents folder displays 15 recently opened documents; however, the actual folder may contain hundreds more.
Most of a user's desktop items on a Windows XP operating would be located in the ___ directory.
A specific user's Desktop items are located in the path C:\Docuemnets and Settings\ %User%\Desktop in a Windows XP operating system.
Because this file will hold the contents of RAM when the machine is powered off, the ___ file will be the size of the system RAM and will be in the root directory.
When the system goes into hibernation, the contents of RAM are written to the file hiberfil.sys, which is the exact size of RAM and located in the root of the system drive.
Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system?
Evidence of web-based email is commonly viewed but not saved. Therefore, its contents may be found in the Temporary Internet Files folder, Unallocated Clusters, or the pagefile.sys and hiberfil.sys folders.
File names with the .url extension that direct web browsers to a specific website are located in which folder?
The Favorites folder contains files links that directs the browsers to certain websites. These link files usually have a name that describes the website followed with the .url extension.
Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored in:
Information about an Internet cookie such as the URL name, date and time stamps, and pointers to the actual cookie are stored in the index.dat file.
On a Windows 98 machine, which folder is the swap or page file contained in?
The swap file is saved as WIN386.SWP in a Windows 98 machine and as pagefile.sys in Windows XP.
When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job?
The .spl or spool, file contains an image of what is sent to the printer to be printed.
The two modes for printing in Windows are ___ and ___ .
The two printing modes in Windows are RAW and EMF.
Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.
Even though Windows deletes the EMF file after a print job has been completed, EnCase may still be able to recover the file by doing a search of its unique header information.
The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.
The Recycle Bin does not contain an index.dat file; it contains the INFO2 file.