Remember that you must enter the answers to your questions in Canvas. This file has been provided to allow
you to perform the hands-on tasks before starting the Canvas quiz. Also remember that this is a test, and you
are required to do your own work. It’s open book and open note, but you must NOT collaborate with any other
students, or receive outside assistance.
1. This is a "real" test, which means you must do your own work. It's an open book test, so you can use any
resources such as books, your notes, or the computer. However, you must do your own work. This means
that you must not ask other students, instructors, acquaintances, paid consultants, Facebook friend s, etc.
for help. Any violations of the CBC Academic Honesty Policy will result in a failing grade for the course.
(NOTE - There are several question on this test that require looking up data, such as the speed of various
memory types. If you don't want to memorize this information you can look it up.)
If you use any Internet resources, make sure that you do NOT copy and paste information unless
instructed. You can use the Internet, but you must put all answers in your own words. You will receive no
credit for any answers with copied material.
The test must be completed by 11:59 on the due date to receive full credit. Late tests will be accepted, but
only for seven calendar days after the original due date. Late tests will automatically lose 10 points. La te
tests will not be accepted after 7 days and you will fail the class.
A. I agree
B. I disagree
2. What is Registry?
A. A hierarchical database used by every computer to store settings and data
B. A hierarchical database used by computers running Windows to store settings and data
C. A relational database used by every computer to store settings and data
D. A relational database used by computers running Windows to store settings and data
3. True or False. Any program that runs on Windows will store all of i t’s data in registry.
1. True
2. False
4. Which of the following methods can be used to add or change registry data?
1. Use regedit to manually create or edit a registry key
2. Use a program such as any application in Windows Control Panel
3. Write a program that uses one the registry API functions
4. All of the above
5. True or False. All of the data in registry is stored in files when Windows shuts down gracefully.
1. True
2. False
6. Which registry key holds the list of URLs the currently logged on user typed into Internet Explorer? (Note
- HK is an abbreviation for HKEY)
1. HK_CLASSES_ROOT\Software\Microsoft\Internet Explorer\TypedUrls
2. HK_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TypedUrls
3. HK_CURRENT_CONFIG\Software\Microsoft\Internet Explorer\TypedUrls
4. HK_ USERs\Software\Microsoft\Internet Explorer\TypedUrls
5. HK_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls
6. None of the above
April 29, 2018
7. Which registry key would you use to discover the SID associated with a particular user? (Note - HK is an
abbreviation for HKEY)
1. HK_LOCAL_MACHINE\SAM\Domains\Users
2. HK_LOCAL_MACHINE\SAM\Domains\Account\Users
3. HK_LOCAL_MACHINE\SAM\Domains\SIDList
4. HK_LOCAL_MACHINE\SAM\Domains\Account\SIDList
5. HK_LOCAL_MACHINE\SAM\Domains\Account\Users\SIDList
6. None of the above
8. What of the following web sites contains an easy to use reference of every registry key?
1. MSDN (Microsoft Developer Network)
2. Registrywiki.org
3. Forensicswiki.org
4. Wikipedia.org
5. None of the above
9. Which of the following is true regarding the different versions of Microsoft Windows and the registry
hives, keys and values?
1. There have been no changes to the registry hives, keys or values between versions of Windows
2. Each version of Windows uses a completely different set of registry hives , keys and values
3. Each time Microsoft releases a new version of Windows they have tried to maintain the structure
of registry as much as possible. However there have been some situations where changes were
necessary and had to be made
4. Each time Microsoft releases a new version of Windows they kept the main registry hives but a
majority of the keys change in each release.
10. Which of the following is true regarding the different versions of Microsoft Windows and the files used to
store registry?
1. There have been no changes to the files between versions of Windows
2. Each version of Windows uses a completely different set of registry files
3. There were major changes introduced with Windows 7. That is, the file names and locations are
significantly different between Windows 7 and Vista.
4. There were major changes introduced with Windows Vista. That is, the file names and locations
are significantly different between XP and Vista.
5. There were major changes introduced with Windows XP. That is, the file names and locations are
significantly different between XP and Windows 98.
11. Which of the main registry hives holds information about extensions of all registered file types, OLE
objects and COM servers? Other hives may hold small pieces of this information, however you should
choose the hive whose main purpose is to hold this information.
1. HKEY_CLASSES_ROOT
2. HKEY_CURRENT_USER
3. HKEY_LOCAL_MACHINE
4. HKEY_USERS
5. HKEY_CURRENT_CONFIG
6. None of the above
12. Which of the main registry hives stores settings which are specific to the currently logged-in user (Windows
Start menu, desktop, etc.)?
1. HKEY_CLASSES_ROOT
2. HKEY_CURRENT_USER
3. HKEY_LOCAL_MACHINE
April 29, 2018
4. HKEY_USERS
5. HKEY_CURRENT_CONFIG
6. None of the above
13. Which of the main registry hives holds information about installed applications, settings; along with
information about any hardware that has ever been connected to the computer including the type of bus,
total size of available memory, list of currently loaded device drivers and information about Windows
startup?
1. HKEY_CLASSES_ROOT
2. HKEY_CURRENT_USER
3. HKEY_LOCAL_MACHINE
4. HKEY_USERS
5. HKEY_CURRENT_CONFIG
6. None of the above
14. In Windows XP and later, what is the name of the main registry hive that holds dynamic data such as the
current CPU usage?
1. HKEY_CLASSES_ROOT
2. HKEY_CURRENT_USER
3. HKEY_LOCAL_MACHINE
4. HKEY_USERS
5. HKEY_CURRENT_CONFIG
6. None of the above
15. True or False. All of the information in HKEY_LOCAL_MACHINE is stored in the SYSTEM file when
Windows shuts down.
1. True
2. False
16. True or False. The information in HKEY_CURRENT_CONFIG is actually part of
HKEY_LOCAL_MACHINE, so it is not stored in a separate file when Windows shuts down.
1. True
2. False
17. Which of the following is true regarding the data in HKEY_CURRENT_USER? (You can assume
Windows Vista and later).
1. The information is always stored in %UserProfile%\Users\UserName\NTUser.Dat
2. The information is always stored in %UserProfile%\Users\AppData\UserName\NTUser.Dat
3. The information is stored in %UserProfile%\Users\UserName\NTUser.Dat unless the user account
is an Active Directory (network) account set up for roaming. In this case the information will be
stored in the NTUser.Dat in the user’s home directory on the network.
4. The information is stored in %UserProfile%\Users\UserName\AppData\NTUser.Dat unless the
user account is an Active Directory (network) account set up for roaming. In this case the
information will be stored in the NTUser.Dat in the user’s home directory on the network.
18. Which of the following files holds information about all installed programs and their settings? (You can
assume Windows Vista and later)
1. SAM
2. SECURITY
3. SOFTWARE
4. SYSTEM
April 29, 2018
5. PROGRAMS
19. Assume you are using regedit. Which of the following subhives will you be unable to view? (Hint - there
are multiple answers)
1. SAM
2. SECURITY
3. SOFTWARE
4. SYSTEM
5. PROGRAMS
20. Which of the main registry hives holds the settings and data for any user that has ever been created on the
computer?
A. HKEY_CLASSES_ROOT
B. HKEY_CURRENT_USER
C. HKEY_LOCAL_MACHINE
D. HKEY_USERS
E. HKEY_CURRENT_CONFIG
F. None of the above
21. Which of the following files holds the information about user accounts such as usernames, login times,
etc.? (You can assume Windows Vista and later)
A. SAM
B. SECURITY
C. SOFTWARE
D. SYSTEM
E. PROGRAMS
22. Why does Windows prevent regedit from displaying the information in the protected subhives?
A. To prevent users from overclocking the CPU or making other unauthorized and potentially
hazardous changes to hardware
B. To prevent users from making changes to their Windows licensing information
C. To prevent users from viewing information about user passwords and encrypted files and folders
D. None of the above
23. True or False. If the AccessData Registry Viewer is installed, it can be started from within FTK to read
registry files from the current case, or it can be run separately from FTK to read files external to a case .
A. True
B. False
24. Assume you have copies of the registry files, SAM, SECURITY, etc. In other words these files are NOT
in an image. Which program would you use to inspect the files?
A. FTK
B. FTK Imager
C. AccessData Registry Viewer
D. Regedit
E. Any of the above
25. Where does Windows store copies of registry made with the System Restore utility?
A. %SystemRoot%\Repair
April 29, 2018
B. %SystemRoot%\System32\config\RegBack (or %SystemRoot%\Repair for XP and older)
C. %SystemRoot%\RegBack (or %SystemRoot%\Repair for XP and older)
D. %SystemRoot%\$NTRestore
E. %SystemRoot%\$NTSysRestore
26. Use the image stringsTest2Image.AD1 to answer this question. What is the MD5 hash value for the image? Hint - use FTK Imager to view the MD5 digest value.
A. e4e732d5cfd795855a31ee74820d09f3 B. 43b34a4edaa34fa23b8a26da2245b45 C. 7c138f146b63416734dc376d8cb7c4a0 D. ead2d7516987edd3413bbbb31c4e333 E. None of the above
27. Use the image stringsTest1Image.AD1 to answer this question. Which file contains a list of stolen credit card numbers? Enter your answer in the same case as the actual file. Hint – search for the credit card pattern.
28. Use the image stringsTest1Image.AD1 to answer this question. Which file contains a list of usernames and passwords? Enter your answer in the same case as the actual file. Hint – search for the words “username” and
“password”
29. Use the image stringsTest1Image.AD1 to answer this question. Which file contains a list of stolen social security numbers? Enter your answer in the same case as the actual file.
30. Use the image stringsTest1Image.AD1 to answer this question. What is the correct file extension (or file type) for the file you found in the previous question?
A. .doc (word document) B. .xls (excel speadsheet) C. .rtf (rich text format) D. .txt (plain text document)
31. Use the image nixonSmall.E01 to answer this question . What is the total number of files in the image? Write your answer as a number, not a word. For example, if there are 4 files write 4, not four.
32. Use the image nixonSmall.E01 to answer this question . How many files have the wrong extension? Write your answer as a number, not a word. For example, if there are 4 files write 4, not four.
33. Use the image nixonSmall.E01 to answer this question. What is the correct file type for the file acceptance test list.mp3?
A. Executable File B. GIF File C. Word Document D. Excel Spreadsheet E. Database File F. Adobe Photoshop File G. JPEG/JFIF File H. ZIP Archive I. Hypertext Document J. Bitmap File K. PowerPoint File L. PDF File M. Plain Text File
34. Use the image nixonSmall.E01 to answer this question. What is the correct file type for the file careers1.txt? A. Executable File
April 29, 2018
B. GIF File C. Word Document D. Excel Spreadsheet E. Database File F. Adobe Photoshop File G. JPEG/JFIF File H. ZIP Archive I. Hypertext Document J. Bitmap File K. PowerPoint File L. PDF File M. Plain Text File
35. Use the image nixonSmall.E01 to answer this question. The files acceptance test list.mp3 and careers1.txt are both in the same user’s home directory. Which user is this?
A. Nixon B. Chucky C. Colonel Palmer D. Sandman E. Marko
36. Use the image nixonSmall.E01 to answer this question. Which user has the SID 1005? A. chucky B. nixon C. sandman D. Administrator E. None of the above
37. Use the image nixonSmall.E01 to answer this question. When was the last time the user nixon logged onto the system? (You can leave the time in UTC format, you don’t have to convert to local time)
A. 3/19/2014 13:53:47 UTC B. 3/19/2014 13:36:16 UTC C. 3/19/2014 13:53:450 UTC D. 11/12/2013 12:21:03 UTC
38. Use the files in the folder domex to answer this question. How many total user accounts are there? (Include all of the accounts including Administrator, Guest etc. but NOT the alias in your answer.)
39. Use the files in the folder domex to answer this question. What is the SID for the user domex2?
40. Use the files in the folder domex to answer this question. What is the Login Count for the user Administrator?
41. Use the files in the folder domex to answer this question. What time zone is Windows set to use? A. Eastern B. Central C. Mountain D. Pacific
42. Use the files in the folder domex to answer this question. Which of the following URLs did the user domex2 type in Internet Explorer?
A. http://www.google.com B. http://www.hotmail.com C. http://www.gmail.com D. All of the above
April 29, 2018