Windows Swap File Quiz

Questions and Answers

Which area of memory is the most dynamic during a process?

• Stack (S)
• Cache memory
• Volatile memory
• Heap (H) (correct)

Which tool is used to display operating system details?

• PsLoggedOn
• ListDLLs
• PsInfo (correct)
• Netstat

What type of data can exist between function calls?

• Loaded DLLs
• Cache memory
• Heap (H) data (correct)
• Network connections

Which tool is used to show loaded DLLs?

ListDLLs (A)

What forensic technique involves analyzing volatile memory?

Live-system forensic technique (C)

Which utility is used to view network connections?

Netstat (D)

Which component of a computer system is referred to as x86?

Boot Loader (C)

What does the BIOS stand for in a computer system?

Basic Input/Output System (D)

Which file is responsible for loading the Windows Registry during the boot process?

Winlogon.exe (C)

How many gigabytes (GB) of RAM is a computer system limited to with 32-bit addresses?

4 GB (C)

Which action is performed on volatile data during a forensic analysis?

Compute the hash (C)

Which component is responsible for displaying the graphical user interface (GUI) in Windows?

Explorer.exe (C)

What happens to the original permissions of files and folders when they are cut and pasted on the same partition?

They are retained (A)

In Windows, what does the File Accessed Date indicate?

The last date the file was opened or accessed (A)

What does the term 'MAC' refer to in the context provided?

Mandatory Access Control (A)

Which property does the File Created Date represent in Windows?

The date the file came into existence on the volume (B)

When copying and pasting files on the same partition in Windows, what permissions do the files and folders inherit?

Original permissions (A)

What does the Modified Date of a file in Windows indicate?

A change to the contents of the file itself (C)

What is the purpose of the Windows Swap File?

To augment random access memory (RAM) (B)

What is the typical extension for the Windows Swap File before Windows XP?

.swp (C)

Which file in Windows is related to the swap file and can be processed with Volatility?

hiberfil.sys (A)

What does the Volume Shadow Copy service do in Windows?

Keeps a record of state changes (C)

Which type of files contain information about events and activities in Windows?

.log files (A)

What is used to view log files in Windows?

Event Viewer (D)

Which part of the Windows Registry is responsible for storing information related to the currently logged-in user?

HKEY_CURRENT_USER (HKCU) (A)

Which Windows Registry section contains configuration details applicable to all users on the system?

HKEY_LOCAL_MACHINE (HKLM) (B)

What type of information is typically stored in the Amcache section of the Windows Registry?

Uninstalled software (A)

What is the purpose of the Shimcache within the Windows Registry?

To speed up application loading times (D)

Which area of the Windows Registry contains details about hardware configuration?

The Registry: BAM (A)

Where can one find information about USB devices in the Windows Registry?

HKEY_CURRENT_CONFIG (HCU) (C)

Which tool is specifically used to display login information during a volatile memory analysis?

PsInfo (A)

During volatile memory analysis, which memory area is identified as the most dynamic during a process?

Heap (H) (A)

Which utility tool is utilized to provide details on network connections during forensic investigations?

Netstat (C)

What type of data can exist between function calls in a memory analysis?

Heap data (A)

Which tool is primarily responsible for showing loaded DLLs during a memory analysis procedure?

ListDLLs (C)

In volatile memory forensics, what is the significance of last-in, first-out allocation with regard to data?

Data is accessed based on its last modification time. (D)

Where is information related to all users on a Windows system stored in the Windows Registry?

HKEY_USERS (C)

What type of information is typically found in the Amcache section of the Windows Registry?

Wireless networks (D)

Which component in a computer system is responsible for displaying the graphical user interface (GUI) in Windows?

BIOS (D)

What is the purpose of the Shimcache within the Windows Registry?

Keeping a record of loaded DLLs (C)

Which specific component within the Windows Registry contains details about hardware configuration?

HKLM (D)

What type of files contain information about events and activities in Windows?

.log files (D)

Which Windows feature allows a user to encrypt specific files and folders?

Encrypted File System (EFS) (A)

What is the maximum number of bytes that a 64-bit processor can address?

18,446,744,073,709,551,616 bytes (B)

In Windows, what component is responsible for displaying the graphical user interface (GUI)?

Cortana (C)

Which Windows function supports the analysis of volatile memory?

64-Bit Processing (D)

What Windows feature allows users to view network connections?

Edge browser (D)

Where is the Windows Swap File typically found in a Windows system?

In the Windows root directory (D)

What kind of artifacts might be found in the Windows Swap File?

Password artifacts from recently run applications (A)

Which Windows service keeps a record or copy of state changes?

Volume Shadow Copy service (B)

What type of information do Windows Log Files typically contain?

Information about events and activities in Windows (C)

How can the Volume Shadow Copy data be compared daily?

By using a specific Windows service (B)

What is the relationship between hiberfil.sys and the swap file in Windows systems?

'hiberfil.sys' is another name for the swap file (B)

What property does the File Modified Date in Windows indicate?

There has been a change to the file itself (C)

When cutting and pasting (moving) files and folders in Windows on the same partition, what happens to their original permissions?

They retain the original permissions (C)

What do files and folders do when copied and pasted on the same partition in Windows?

They inherit the rights of the folder they are being copied to (B)

In Windows, what does the File Accessed Date indicate?

The file was last accessed (A)

What is one of the critical properties that MAC refers to as per the text provided?

The Registry (D)

What does copying and pasting files and folders within Windows on the same partition imply for their permissions?

'Inherit' rights of the folder they are being copied to (C)

What is the primary function of Volume Shadow Copy in Windows?

Maintaining a copy of state changes (B)

Which file in a Windows system can potentially contain password artifacts from recently run applications?

hiberfil.sys (B)

What distinguishes the Windows Swap File from Volume Shadow Copy?

Acts as virtual memory augmentation (A)

Which tool can be used to convert the Windows Swap File into an image file for analysis?

Volatility (B)

What is the main purpose of the hiberfil.sys file in Windows systems?

Support hibernation functionality (A)

Which Windows component is not primarily responsible for displaying the graphical user interface (GUI)?

Windows Defender (B)

What is the significance of x64 in Windows systems?

Supports 64-bit processing (B)

Which feature of Windows is NOT related to volatile data in forensic analysis?

Universal apps (D)

What is the key purpose of the Windows Swap File?

Act as virtual memory extension (B)

Which version of Windows is NOT mentioned as supporting 64-bit processing?

Windows XP (B)

Where are 32-bit programs typically installed in a 64-bit Windows system?

C:\Program Files (A)

What issue is NOT addressed when considering pertinent aspects of Windows for forensics?

RAM speed optimization (A)

What type of information can be found in the Index.dat files in Windows?

Web addresses (D)

In Windows forensics, what does Full-text indexing allow investigators to do?

Search the entire image for specific words in seconds (C)

What is the purpose of Alternate Data Streams (ADS) in Windows forensics?

Attaching one file to another in NTFS (B)

Where can a user find profile information, documents, and pictures for all users on a Windows system?

C:\Users (B)

What type of information can be located using AccessData's Forensic Toolkit (FTK) in Windows forensics?

Unallocated space details (B)

What does the Shimcache in the Windows Registry primarily store information about?

ShellBag (B)

In Windows systems, what critical data can be analyzed from the BAM component of the Windows Registry?

User activity (C)

When analyzing the Prefetch data within the Windows Registry, what type of information can be extracted?

Configuration details applicable to all users (C)

What is the primary purpose of the SRUM component in the Windows Registry?

To track system resource usage (A)

What is the main function of the Amcache section in the Windows Registry?

Store information about events and activities (A)

Which area is referred to as x86 within a computer system?

HKEY_LOCAL_MACHINE (HKLM) (A)

What does the PsLoggedOn tool provide information about in a Windows system?

Login information (A)

Which area of memory is known for being the most dynamic during a process according to the text?

Heap (H) (B)

What is the primary purpose of the netstat utility as mentioned in the provided text?

Listing network connections (D)

Which tool among those listed is specifically used for displaying information about processes in a Windows system?

PsList (D)

In volatile memory forensics, what type of data can exist between function calls?

Heap (H) data (C)

Which utility tool is used to provide details on network connections during forensic investigations?

Netstat (B)