Windows Registry Forensics Coursera Quiz Answers

Get All Weeks Windows Registry Forensics Coursera Quiz Answers

Windows Registry Forensics Week 01 Quiz Answers

Quiz 1: Windows Registry Forensics Quiz

Q1. The Windows Registry is defined as

• SQL database
• Central relational database
• Central hierarchical database
• Flat file

Q2. The Windows Registry replaced which type of file?

• Link Files
• Property lists
• Configuration and Initialization files
• Log Files

Q3. What information is NOT contained in the Windows Registry?

• System Information
• Disk structure information
• Application specific information
• user information

Q4. The Windows Registry can be useful for?

• Validating findings through an investigation
• Determining the number of partitions on a drive
• Determining cluster size
• looking up a phone number

Q5. Registry is important because it records?

• installed programs
• user account information
• all of these
• devices attached to the computer

Q6. The type of case you are investigating…

• will determine the type of information you are looking for
• will NOT determine the type of information you are looking for
• only matters if it is a Windows 7 computer
• has nothing to do with the registry

Q7. The Windows Registry contains

• All of these
• Keys
• Hives
• Sub-Keys
• Data
• Values

Q8. The registry hive files are pulled into memory, handle keys, and represented as

• user Keys (UK)
• File Keys (FK)
• Block Keys (BK)
• Handle Keys (HK)

Q9. Which Registry Key is only found on a live running system?

• Security
• Sam
• Hardware
• System
• Software

Q10. Registry values can be in several different forms. Which is not a registry value form?

• Binary Data
• SQL Data
• String Data
• Hex Data

Q11. The user specific registry files contained in the registry are?

• PTUser.reg and user.Dat
• Amcache and Sam
• NTUser.Dat and UsrClass.Dat
• None of the above

Q12. The system specific files contained within the registry are?

• security
• All of these
• AmCache
• software
• Sam
• system

Q13. The Sam, Security, Software, and System Registry files are located at

• Volume root\Windows\Sam\config
• Volume root\Windows\system32\config
• Volume root\WindowsNT\system32\config
• Volume root\system32\user\config

Q14. What are the two registry files that relate to a specific user?

• NTUser.dat and Software
• NTUser.dat and USRClass.dat
• Sam and System
• Sam and Security

Q15. Registry browser is a

• Hex editor
• Registry hive sub-key
• Older type of Windows registry prior to Windows 95
• Specialized tool used to view the Window Registry

Q16. Which sub-key is used to determine the current control set?

• Windows
• System
• Microsoft
• Select

Q17. What registry hive file contains the the time zone setting

• Sam
• Software
• System
• Security

Q18. The Windows OS Version and Install date are contained in the __ registry hive?

• Security
• System
• Software
• Sam

Q19. Regarding the live Windows Registry, which two hive keys or sub keys only exists in the live registry?

• Both A and B
• HKEY_LOCAL_MACHINE—HARDWARE SUBKEY
• None of these
• HKEY_LOCAL_MACHINE-SYSTEM SUBKEY
• HKEY_LOCAL_MACHINE-SAM SUBKEY
• HKEY_CURRENT_USER

Q20. Which two Registry files are not accessible on a live running computer. As seen in Regedit.

• Sam
• Both Security and Software
• security
• software
• system
• Both Sam and security

Q21. What Registry sub key contains a list of recently used documents by file extension?

• The Run Sub Once subkey
• The Run MRU subkey
• Recent Docs subkey
• User Assist

Q22. The typed URL subkey contains:

• Recently run applications
• Search terms typed into Windows Explorer
• Programs run at startup
• Web Addresses typed into the Internet Explorer Address Bar

Q23. The values in which key are stored using ROT13

• Run
• Typed URLs
• User Assist
• Recent Applications

Q24. This sub key tracks recently used applications and may contain a record of the files that were opened with each application…

• Run Once
• User Assist
• Recent Apps
• Run MRU

Q25. This subkey tracks user-specific, persistent, applications that are set to run at start-up.

• Run MRU
• Recent Apps
• Run
• Run Once

Q26. This key tracks files that have been opened or saved within a Windows Open/Save dialog box. This includes web browsers and commonly used applications.

• Run MRU
• ComDlg32 OpenSavePidMRU
• Recent Docs
• Recent Apps

Q27. This key maintains a list of all the values typed into the Run box on the Start menu.

• Run
• Run MRU
• WordWheel Query
• Run Once

Q28. The subkey Typed Paths does what?

• Keeps track of URL typed into the Internet Explorer Address Bar
• Keeps track of Files, Directories, or programs accessed by typing a File path into Windows Explorer
• comdlg 32
• Runs at startup

Q29. Microsoft Office MRU are…

• programs or applications launched through the Windows runbox
• User-specific programs that are set to run at startup with no interaction from
• Recently used Microsoft Office Documents
• created when a user types a path to a directory, file, or application into Windows Explorer.

Q30. What subkey tracks user key word searches?

• ComDlg32
• Recent Apps
• Run MRU
• WordWheel query

Q31. The SAM file stores what information?

• Information about files and applications recently accessed by a user
• information about the users internet accounts and browser history
• Programs set to Run at startup by a user
• information about each user such as login information, login password hashes, and group information

Q32. The Security identifier SID is comprised of 3 parts…

• Issuing identifier-Domain authority-Machine identifier
• Issuing authority- Machine/domain identifier- Relative identifier
• user name – Profile path- User directory
• All of the above

Q33. The Machine identifier of the local machine is found in the __ subkey

• Users
• Domains
• Groups
• Account

Q34. The relative identifier or RID identifies a?

• User
• Domain
• Group
• Machine

Q35. The Names subkey identifier the user’s name and __ ?

• Relative Identifier
• last logon time
• log on count
• password hash

Q36. The last logon time is stored in the _ subkey?

• Names
• Accounts
• User
• Domains

Q37. The V value of the users subkey contains?

• last logon date and time
• username and password hash
• log on count
• number of failed logon’s

Q38. What is the function of the RunMRU subkey in the Software Hive File?

• all of the above
• This key tracks user searches
• This key shows programs that run at startup
• This key maintains a list of all the values typed into the Run box on the Start menu

Q39. The OpenSavePidMRU sub-key, which is a sub-key of Comdlg 32 tracks … ?

• User logon information and last logged on user
• AutoStart locations
• values typed into the Run box on the Start menu
• A specific executable used to open the files

Q40. Information indicating the last logged-on user would be found in which sub-key within the software hive file?

• Comdlg 32
• Classes
• LogonUI
• Run

Q41. _ is an autostart location in the Software Hive File.

• Run Key
• Comdlg 32
• RunMRU
• Installed printers

Q42. Windows OS install date and time would be found in the Software file in which sub-key?

• Run Once
• Winlogon
• Windows
• Current Version

Q43. The network list sub-keys profiles and signatures contain what information?

• Domain user account information
• Wireless network dates and times and gateway MAC address
• Evidence of program execution
• User account information

Q44. In the software hive file, what 2 sub-keys contain information regarding the connection of USB devices?

• Mount points and Mountspoints2
• Mountpoints2 and RunMRU
• Devices and EMD Management
• USBStore and USB

Q45. What key within the system file is used to determine the current control set?

• Control
• Prefetch
• Services
• Select

Q46. The last shutdown time is found within which sub-key in the system hive file?

• USBstore
• select
• control
• Windows

Q47. In the system hive, the Windows services sub-key tracks programs that _?

• is not a subkey in the system hive
• run automatically when the system is booted, and are started by the system and with no interaction from the user
• Tracks USB Devices
• Indicates when the system needs service

Q48. What subkey in the system hive file contains settings for the prefetch utility?

• Select
• prefetchParameters
• Windows
• Controlset

Q49. The setting within the system hive file that controls whether or not the page file is cleared at shutdown is _?

• Memory Management
• shutdown
• Crash Control
• select

Q50. What type of information is found at this location in the System hive file

Location:ControlSet001\Enum\USBSTOR\”Device”\”Serial# or Unique instance ID”\Properties{83da6326-97a6-4088-9453-a1923f573b29}

• user account information
• USB device connection and disconnection dates and times
• programs set to run at startup
• prefetch settings

Q51. Appcompatcache was created by Microsoft to identify application compatibility Issues between 32 bit and 64 bit applications. What does the cache data track?

• All of these
• File Path
• Last Modified Time
• File Size
• None of these

Q52. Information found in the Background Activity Moderator (BAM) sub-key proves?

• Program execution by a specific user
• Nothing
• Program execution but not by a specific user
• A change to the file MFT record

Q53. What do Shellbags track?

• Folders or Directories within the Windows file system
• File Times
• Recently used applications
• Programs run at startup

Q54. The _ hive file stores artifacts such as the Last write time, Install Dates, Application Name, Version, and path to exe or dill

• The NTUser.dat Hive File
• The AmCache Hive File
• The Sam File
• The System Hive File

Get All Course Quiz Answers of Software Development Lifecycle Specialization

Software Development Processes and Methodologies Quiz Answers

Agile Software Development Coursera Quiz Answers

Lean Software Development Coursera Quiz Answers

Engineering Practices for Building Quality Software Quiz Answers