Windows Registry Forensics | Coursera Quiz Answers

Enroll Course

---

Notice!
Always refer to the module on your for the most accurate and up-to-date information.

Quiz 1

1. The Windows Registry is defined as

• Central relational database
• SQL database
• Central hierarchical database
• Flat file

2. The Windows Registry replaced which type of file?

• Link Files
• Property lists
• Log Files
• Configuration and Initialization files

3. What information is NOT contained in the Windows Registry?

• System Information
• Application specific information
• Disk structure information
• user information

4. The Windows Registry can be useful for?

• Determining the number of partitions on a drive
• Determining cluster size
• Validating findings through an investigation
• looking up a phone number

5. Registry is important because it records?

• installed programs
• all of these
• user account information
• devices attached to the computer

6. The type of case you are investigating…

• only matters if it is a Windows 7 computer
• has nothing to do with the registry
• will determine the type of information you are looking for
• will NOT determine the type of information you are looking for

7. The Windows Registry contains

• Sub-Keys
• Data
• All of these
• Keys
• Hives
• Values

8. The registry hive files are pulled into memory, handle keys, and represented as

• user Keys (UK)
• Handle Keys (HK)
• File Keys (FK)
• Block Keys (BK)

9. Which Registry Key is only found on a live running system?

• Security
• Hardware
• System
• Sam
• Software

10. Registry values can be in several different forms. Which is not a registry value form?

• Binary Data
• Hex Data
• SL Data
• String Data

11. The user specific registry files contained in the registry are?

• PTUser.reg and user.Dat
• NTUser.Dat and UsrClass.Dat
• None of the above
• Amcache and Sam

12. The system specific files contained within the registry are?

• security
• software
• Sam
• All of these
• AmCache
• system

13. The Sam, Security, Software, and System Registry files are located at

• Volume root\Windows\Sam\config
• Volume root\WindowsNT\system32\config
• Volume root\system32\user\config
• Volume root\Windows\system32\config

14. What are the two registry files that relate to a specific user?

• NTUser.dat and Software
• Sam and System
• Sam and Security
• NTUser.dat and USRClass.dat

15. Registry browser is a

• Hex editor
• Specialized tool used to view the Window Registry
• Registry hive sub-key
• Older type of Windows registry prior to Windows 95

16. Which sub-key is used to determine the current control set?

• Windows
• Select
• System
• Microsoft

17. What registry hive file contains the the time zone setting

• Sam
• Software
• System
• Security

18. The Windows OS Version and Install date are contained in the __ registry hive?

• Security
• System
• Software
• Sam

19. Regarding the live Windows Registry, which two hive keys or sub keys only exists in the live registry?

• Both A and B
• HKEY_LOCAL_MACHINE-SAM SUBKEY
• HKEY_LOCAL_MACHINE—HARDWARE SUBKEY
• None of these
• HKEY_LOCAL_MACHINE-SYSTEM SUBKEY
• HKEY_CURRENT_USER

20. Which two Registry files are not accessible on a live running computer. As seen in Regedit.

• Sam
• Both Security and Software
• security
• software
• system
• Both Sam and security

21. What Registry sub key contains a list of recently used documents by file extension?

• The Run Sub Once subkey
• User Assist
• The Run MRU subkey
• Recent Docs subkey

22. The typed URL subkey contains:

• Recently run applications
• Search terms typed into Windows Explorer
• Programs run at startup
• Web Addresses typed into the Internet Explorer Address Bar

23. The values in which key are stored using ROT13

• Run
• User Assist
• Recent Applications
• Typed URLs

24. This sub key tracks recently used applications and may contain a record of the files that were opened with each application…

• Run Once
• User Assist
• Recent Apps
• Run MRU

25. This subkey tracks user-specific, persistent, applications that are set to run at start-up.

• Run MRU
• Recent Apps
• Run
• Run Once

26. This key tracks files that have been opened or saved within a Windows Open/Save dialog box. This includes web browsers and commonly used applications.

• Run MRU
• ComDlg32 OpenSavePidMRU
• Recent Docs
• Recent Apps

27. This key maintains a list of all the values typed into the Run box on the Start menu.

• Run
• Run MRU
• WordWheel Query
• Run Once

28. The subkey Typed Paths does what?

• Keeps track of URL typed into the Internet Explorer Address Bar
• Keeps track of Files, Directories, or programs accessed by typing a File path into Windows Explorer
• comdlg 32
• Runs at startup

29. Microsoft Office MRU are…

• programs or applications launched through the Windows runbox
• User-specific programs that are set to run at startup with no interaction from
• Recently used Microsoft Office Documents
• created when a user types a path to a directory, file, or application into Windows Explorer.

30. What subkey tracks user key word searches?

• ComDlg32
• Recent Apps
• Run MRU
• WordWheel uery

31. The SAM file stores what information?

• Information about files and applications recently accessed by a user
• information about the users internet accounts and browser history
• Programs set to Run at startup by a user
• information about each user such as login information, login password hashes, and group information

32. The Security identifier SID is comprised of 3 parts…

• Issuing identifier-Domain authority-Machine identifier
• Issuing authority- Machine/domain identifier- Relative identifier
• user name – Profile path- User directory
• All of the above

33. The Machine identifier of the local machine is found in the __ subkey

• Users
• Domains
• Groups
• Account

34. The relative identifier or RID identifies a?

• User
• Domain
• Group
• Machine

35. The Names subkey identifier the user’s name and __ ?

• Relative Identifier
• log on count
• password hash
• last logon time

36. The last logon time is stored in the _ subkey?

• Names
• Accounts
• User
• Domains

37. The V value of the users subkey contains?

• last logon date and time
• number of failed logon’s
• username and password hash
• log on count

38. What is the function of the RunMRU subkey in the Software Hive File?

• all of the above
• This key maintains a list of all the values typed into the Run box on the Start menu
• This key tracks user searches
• This key shows programs that run at startup

39. The OpenSavePidMRU sub-key, which is a sub-key of Comdlg 32 tracks … ?

• User logon information and last logged on user
• AutoStart locations
• values typed into the Run box on the Start menu
• A specific executable used to open the files

40. Information indicating the last logged-on user would be found in which sub-key within the software hive file?

• Comdlg 32
• Classes
• LogonUI
• Run

41. _ is an autostart location in the Software Hive File.

• Run Key
• RunMRU
• Installed printers
• Comdlg 32

42. Windows OS install date and time would be found in the Software file in which sub-key?

• Run Once
• Winlogon
• Windows
• Current Version

43. The network list sub-keys profiles and signatures contain what information?

• Domain user account information
• Wireless network dates and times and gateway MAC address
• Evidence of program execution
• User account information

44. In the software hive file, what 2 sub-keys contain information regarding the connection of USB devices?

• Mount points and Mountspoints2
• Mountpoints2 and RunMRU
• Devices and EMD Management
• USBStore and USB

45. What key within the system file is used to determine the current control set?

• Control
• Prefetch
• Services
• Select

46. The last shutdown time is found within which sub-key in the system hive file?

• USBstore
• select
• control
• Windows

47. In the system hive, the Windows services sub-key tracks programs that _?

• is not a subkey in the system hive
• Indicates when the system needs service
• run automatically when the system is booted, and are started by the system and with no interaction from the user
• Tracks USB Devices

48. What subkey in the system hive file contains settings for the prefetch utility?

• Select
• prefetchParameters
• Windows
• Controlset

49. The setting within the system hive file that controls whether or not the page file is cleared at shutdown is _?

• Memory Management
• Crash Control
• select
• shutdown

50. What type of information is found at this location in the System hive file Location:ControlSet001\Enum\USBSTOR\”Device”\”Serial# or Unique instance ID”\Properties{83da6326-97a6-4088-9453-a1923f573b29}

• user account information
• programs set to run at startup
• prefetch settings
• USB device connection and disconnection dates and times

51. Appcompatcache was created by Microsoft to identify application compatibility Issues between 32 bit and 64 bit applications. What does the cache data track?

• All of these
• File Path
• None of these
• Last Modified Time
• File Size

52. Information found in the Background Activity Moderator (BAM) sub-key proves?

• Program execution by a specific user
• Nothing
• Program execution but not by a specific user
• A change to the file MFT record

53. What do Shellbags track?

• Folders or Directories within the Windows file system
• Programs run at startup
• File Times
• Recently used applications

54. The _ hive file stores artifacts such as the Last write time, Install Dates, Application Name, Version, and path to exe or dill

• The NTUser.dat Hive File
• The System Hive File
• The AmCache Hive File
• The Sam File