What happens to data in RAM when a Windows system goes into Hibernation?

$($CLO$6,$ MLO$5$E$)$

Question $1$ options:

a$)$

It is overwritten by HIBERFIL.SYS$.$

b$)$

It is rearranged in RAM.

c$)$

It begins to disappear.

d$)$

It is written to the hard drive.

Question $2($Mandatory$)(1$ point$)$

Listen

Simply put, what is the Windows registry?

$($CLO$6,$ MLO$5$A$)$

Question $2$ options:

a$)$

A database for Windows configuration files

b$)$

A process which tracks the user's Internet history

c$)$

An area of memory which the CPU interacts with directly

d$)$

A hierarchal structure of Windows artifact files

Question $3($Mandatory$)(1$ point$)$

Listen

What Windows artifact links a user's account to a particular action?

$($CLO$6,$ MLO$5$F$)$

Question $3$ options:

a$)$

The Date and Time Stamps

b$)$

The Administrator Privilege

c$)$

The Security Identifier

d$)$

The Bitstream Image Hash

Question $4($Mandatory$)(1$ point$)$

Listen

What is NOT true about a spool file?

$($CLO$6,$ MLO$5$B$)$

Question $4$ options:

a$)$

It remains in the computer for a long time

b$)$

It shows the computer name

c$)$

It shows the printer name

d$)$

It shows the user account that sent the job

Question $5($Mandatory$)(1$ point$)$

Listen

Why is recycling bin one of the first places forensic examiner checks for evidence?

$($CLO$6,$ MLO$5$C$)$

Question $5$ options:

a$)$

It contains metadata about files in slack space

b$)$

Some users believe files are deleted when placed there

c$)$

It is the final resting place for all deleted files

d$)$

Deleted and overwritten files are always sent through it

Question $6($Mandatory$)(1$ point$)$

Listen

What is Metadata?

$($CLO$6,$ MLO$5$D$)$

Question $6$ options:

a$)$

Data about data

b$)$

Time and Date data

c$)$

The data about file creation

d$)$

Windows artifact data

Question $7($Mandatory$)(1$ point$)$

Listen

Windows Restore Points are files that

$($CLO$6,$ MLO$5$E$)$

Question $7$ options:

a$)$

Contain future source data for number of times a system will be restored.

b$)$

Contain previous system and configuration settings

c$)$

Contain metadata about the system registry

d$)$

Are only used when Windows crashes.

Question $8($Mandatory$)(1$ point$)$

Listen

A file that shows if an application was run or installed on a system is called

$($CLO$6,$ MLO$5$F$)$

Question $8$ options:

a$)$

The installer file

b$)$

The thumbnail file

c$)$

The shadow copy file

d$)$

The prefetch file

Question $9($Mandatory$)(1$ point$)$

Listen

One issue with Date and Time stamps is

$($CLO$6,$ MLO$5$F$)$

Question $9$ options:

a$)$

They are limited to EST Time Zone

b$)$

They contain unnecessary metadata

c$)$

They are only updated on file modifications

d$)$

They can be spoofed or modified easily

Question $10($Mandatory$)(1$ point$)$

Listen

If a thumbnail is found, but not the image file, it can be concluded that

$($CLO$6,$ MLO$5$D$)$

Question $10$ options:

a$)$

The image was hosted in cloud storage

b$)$

The image never existed

c$)$

The image once existed on the system

d$)$

The image was downloaded remotely