1Which component of a traditional Hard Disk Drive (HDD) is responsible for physically holding the magnetic data?
A.Spindle
B.Read/Write Head
C.Platter
D.Actuator Arm
Correct Answer: Platter
Explanation:
Platters are the circular disks inside an HDD, coated with magnetic material, where data is physically stored.
Incorrect! Try again.
2What is the smallest physical storage unit on a standard hard disk drive?
A.Track
B.Cluster
C.Sector
D.Cylinder
Correct Answer: Sector
Explanation:
A sector is the smallest physical storage unit on a disk, traditionally consisting of 512 bytes.
Incorrect! Try again.
3Which term describes the concentric circles on a hard disk platter where data is written?
A.Tracks
B.Sectors
C.Cylinders
D.Clusters
Correct Answer: Tracks
Explanation:
Tracks are the concentric circles on the platter surface that contain the sectors.
Incorrect! Try again.
4In the context of disk addressing, what does CHS stand for?
A.Cylinder Head Sector
B.Circular Hard Storage
C.Cylinder Host System
D.Cluster Head Sector
Correct Answer: Cylinder Head Sector
Explanation:
CHS stands for Cylinder-Head-Sector, an early method for giving addresses to data on a hard drive.
Incorrect! Try again.
5Which logical addressing scheme replaces CHS by assigning a sequential number to each sector?
A.GPT (GUID Partition Table)
B.MBR (Master Boot Record)
C.LBA (Logical Block Addressing)
D.ZBR (Zone Bit Recording)
Correct Answer: LBA (Logical Block Addressing)
Explanation:
LBA allows the operating system to address sectors linearly (0 to N) without needing to know the physical geometry (CHS) of the drive.
Incorrect! Try again.
6What is a 'Cluster' in the context of file systems?
A.A specific type of magnetic encoding
B.A group of hard drives working together
C.A physical defect on the disk surface
D.The smallest unit of disk space allocatable by the Operating System
Correct Answer: The smallest unit of disk space allocatable by the Operating System
Explanation:
A cluster is a group of sectors and represents the minimum space an OS allocates to a file.
Incorrect! Try again.
7Which area of the hard drive is often hidden from the operating system and can be used to hide data?
A.Boot Sector
B.FAT Area
C.HPA (Host Protected Area)
D.MFT
Correct Answer: HPA (Host Protected Area)
Explanation:
The HPA is a reserved area on the HDD that is not normally visible to the operating system or BIOS/UEFI, often used for recovery tools or by rootkits.
Incorrect! Try again.
8How does a Solid State Drive (SSD) store data compared to an HDD?
A.Using NAND Flash memory
B.Using magnetic fields on platters
C.Using laser pits and lands
D.Using magnetic tape
Correct Answer: Using NAND Flash memory
Explanation:
SSDs use non-volatile flash memory (NAND) to store data electronically, rather than magnetically spinning platters.
Incorrect! Try again.
9What process do SSDs use to ensure memory cells wear out evenly?
A.Striping
B.Defragmentation
C.Journaling
D.Wear Leveling
Correct Answer: Wear Leveling
Explanation:
Wear leveling is an algorithm used by SSD controllers to distribute write cycles evenly across all memory cells to extend the drive's lifespan.
Incorrect! Try again.
10Which command allows an operating system to inform an SSD which blocks of data are no longer considered in use?
A.CHKDSK
B.TRIM
C.CLEAN
D.FORMAT
Correct Answer: TRIM
Explanation:
The TRIM command tells the SSD which data blocks are no longer needed so they can be wiped internally to maintain write speed.
Incorrect! Try again.
11What is the standard size of the Master Boot Record (MBR)?
A.256 bytes
B.1024 bytes
C.512 bytes
D.4096 bytes
Correct Answer: 512 bytes
Explanation:
The MBR is located in the first sector of the disk and is exactly 512 bytes in size.
Incorrect! Try again.
12What is the specific hex signature located at the end of the MBR (offset 510-511)?
A.0x00FF
B.0x55AA
C.0xAA55
D.0xFF00
Correct Answer: 0x55AA
Explanation:
0x55AA is the standard boot signature (magic number) that identifies a valid MBR.
Incorrect! Try again.
13How many primary partitions does the MBR partition table support by default?
A.16
B.4
C.2
D.128
Correct Answer: 4
Explanation:
The standard MBR partition table has space for only 4 primary partition entries.
Incorrect! Try again.
14Which partitioning scheme overcomes the 2TB size limit of MBR?
A.CHS
B.GPT (GUID Partition Table)
C.FAT32
D.LBA
Correct Answer: GPT (GUID Partition Table)
Explanation:
GPT supports disks much larger than 2TB and allows for up to 128 partitions on Windows.
Incorrect! Try again.
15What is the first step in the general booting process of a computer?
A.Starting the Init process
B.Loading the Kernel
C.Reading the MBR
D.POST (Power-On Self-Test)
Correct Answer: POST (Power-On Self-Test)
Explanation:
POST is the diagnostic testing sequence that a computer's BIOS/UEFI runs immediately after being powered on.
Incorrect! Try again.
16In the Windows Vista and later boot process, which file replaces NTLDR?
A.winload.exe
B.bootmgr
C.boot.ini
D.ntoskrnl.exe
Correct Answer: bootmgr
Explanation:
Windows Boot Manager (bootmgr) replaced NTLDR as the boot loader in Windows Vista and subsequent versions.
Incorrect! Try again.
17Where is the Boot Configuration Data (BCD) store typically located in a modern Windows system?
A.C:\Windows\System32
B.Inside the MBR
C.Inside the Registry
D.\Boot\BCD on the active partition
Correct Answer: \Boot\BCD on the active partition
Explanation:
The BCD store, which contains boot configuration parameters, is located in the \Boot directory of the active partition (often the System Reserved partition).
Incorrect! Try again.
18What is the most common bootloader used in Linux distributions?
A.Bootmgr
B.NTLDR
C.GRUB
D.LILO
Correct Answer: GRUB
Explanation:
GRUB (Grand Unified Bootloader) is the standard bootloader for most modern Linux distributions.
Incorrect! Try again.
19Which specific Linux directory contains the kernel image and bootloader files?
A./etc
B./sys
C./boot
D./dev
Correct Answer: /boot
Explanation:
The /boot directory contains the static files required to boot the system, such as the Linux kernel and GRUB configuration.
Incorrect! Try again.
20What is 'File Slack'?
A.The unused space between the end of the file and the end of the cluster
B.The space occupied by deleted files
C.The metadata stored in the file header
D.The space used by the MFT
Correct Answer: The unused space between the end of the file and the end of the cluster
Explanation:
File slack (or slack space) occurs because files are allocated in full clusters; if a file doesn't fill the last cluster, the remaining bytes are slack.
Incorrect! Try again.
21What is the maximum file size supported by the FAT32 file system?
A.16 TB
B.4 GB
C.32 GB
D.2 GB
Correct Answer: 4 GB
Explanation:
FAT32 has a limitation where an individual file cannot exceed 4 GB minus 1 byte.
Incorrect! Try again.
22Which file system is the default for modern Windows operating systems?
A.NTFS
B.HFS+
C.exFAT
D.FAT32
Correct Answer: NTFS
Explanation:
NTFS (New Technology File System) is the standard file system for the system drive of Windows NT-based OSs (XP and later).
Incorrect! Try again.
23In NTFS, where is all information about a file, including its name, timestamps, and permissions, stored?
A.Inode Table
B.Superblock
C.FAT Table
D.MFT (Master File Table)
Correct Answer: MFT (Master File Table)
Explanation:
The MFT is the heart of NTFS; it contains a record for every file and directory on the volume.
Incorrect! Try again.
24What is a 'Resident File' in NTFS?
A.A file that cannot be deleted
B.A file located in the Windows directory
C.A file whose data fits entirely within its MFT record
D.A file stored in the system registry
Correct Answer: A file whose data fits entirely within its MFT record
Explanation:
If a file is very small (~700-800 bytes or less), its content is stored directly within the MFT record rather than in external clusters.
Incorrect! Try again.
25Which NTFS feature allows data to be hidden 'behind' a file without changing the file's visible size?
A.ADS (Alternate Data Streams)
B.Journaling
C.Encryption
D.Compression
Correct Answer: ADS (Alternate Data Streams)
Explanation:
ADS allows more than one data stream to be associated with a filename (e.g., file.txt:secret.txt), often used to hide data.
Incorrect! Try again.
26Which file system was designed by Microsoft specifically for flash drives to handle large files without the overhead of NTFS?
A.FAT16
B.exFAT
C.FAT32
D.Ext4
Correct Answer: exFAT
Explanation:
exFAT (Extended File Allocation Table) allows for files larger than 4GB and is optimized for flash storage.
Incorrect! Try again.
27What is the fundamental metadata structure for files in Linux file systems like Ext4?
A.MFT Record
B.Inode
C.Registry Key
D.FAT Entry
Correct Answer: Inode
Explanation:
An Inode (Index Node) stores all metadata about a file (permissions, owner, size, pointers to data blocks), except the filename.
Incorrect! Try again.
28Which data structure in a Linux file system stores information about the file system itself (e.g., block size, total blocks)?
A.Data Block
B.Superblock
C.Group Descriptor
D.Boot Block
Correct Answer: Superblock
Explanation:
The Superblock contains global file system metadata, such as the total number of inodes and blocks, and the file system state.
Incorrect! Try again.
29What is the primary advantage of a Journaling File System (like Ext4 or NTFS)?
A.Faster read speeds
B.Smaller cluster sizes
C.Automatic encryption
D.Recovery from crashes by keeping a log of changes
Correct Answer: Recovery from crashes by keeping a log of changes
Explanation:
Journaling maintains a record (journal) of changes before they are committed, allowing the file system to recover quickly and reduce corruption after a power failure.
Incorrect! Try again.
30In a Linux file system, the directory structure is:
A.Dependent on the BIOS
B.Drive-letter based (C:, D:)
C.Hierarchical tree starting at root (/)
D.Flat database
Correct Answer: Hierarchical tree starting at root (/)
Explanation:
Linux uses a unified single directory tree where everything starts at the root directory, represented by a forward slash (/).
Incorrect! Try again.
31Autopsy is a graphical interface for which underlying digital forensics tool suite?
A.Volatility
B.EnCase
C.The Sleuth Kit (TSK)
D.Wireshark
Correct Answer: The Sleuth Kit (TSK)
Explanation:
Autopsy is the open-source GUI frontend for The Sleuth Kit, a library of command-line tools for analyzing disk images.
Incorrect! Try again.
32In Autopsy, what is the purpose of the 'Ingest Modules'?
A.To crack passwords
B.To copy the hard drive
C.To automate analysis tasks like hashing and keyword searching
D.To format the evidence drive
Correct Answer: To automate analysis tasks like hashing and keyword searching
Explanation:
Ingest modules run in the background to process data sources, performing tasks like calculating MD5 hashes, looking for keywords, and parsing Exif data.
Incorrect! Try again.
33What does the term 'File Carving' refer to in digital forensics?
A.Recovering files based on headers and footers without file system metadata
B.Deleting files securely
C.Compressing files for storage
D.Encrypting sensitive data
Correct Answer: Recovering files based on headers and footers without file system metadata
Explanation:
File carving scrapes the raw bytes of the drive looking for file signatures (magic numbers) to recover data when the file system table is corrupted or the file was deleted.
Incorrect! Try again.
34Which RAID level uses 'Striping' to increase performance but offers no redundancy?
A.RAID 1
B.RAID 10
C.RAID 0
D.RAID 5
Correct Answer: RAID 0
Explanation:
RAID 0 splits data evenly across two or more disks (striping) for speed, but if one disk fails, all data is lost.
Incorrect! Try again.
35Which RAID level mirrors data across two disks for redundancy?
A.RAID 5
B.RAID 0
C.RAID 6
D.RAID 1
Correct Answer: RAID 1
Explanation:
RAID 1 writes the exact same data to two or more drives (mirroring), ensuring data survives if one drive fails.
Incorrect! Try again.
36RAID 5 requires a minimum of how many disks?
A.3
B.2
C.5
D.4
Correct Answer: 3
Explanation:
RAID 5 uses striping with parity and requires at least 3 disks to function.
Incorrect! Try again.
37What is the main difference between NAS and SAN?
A.There is no difference
B.NAS uses Fibre Channel, SAN uses Ethernet only
C.NAS is file-level storage, SAN is block-level storage
D.NAS is block-level, SAN is file-level
Correct Answer: NAS is file-level storage, SAN is block-level storage
Explanation:
NAS (Network Attached Storage) appears as a shared folder (file-level), while SAN (Storage Area Network) appears to the server as a local disk (block-level).
Incorrect! Try again.
38In hexadecimal notation, the value 'F' represents which decimal number?
A.15
B.12
C.16
D.10
Correct Answer: 15
Explanation:
Hexadecimal is base-16 (0-9, A-F). F is the highest digit, representing decimal 15.
Incorrect! Try again.
39How many bits are in a Nibble?
A.4
B.2
C.8
D.16
Correct Answer: 4
Explanation:
A nibble is half a byte, consisting of 4 bits. One hexadecimal digit represents one nibble.
Incorrect! Try again.
40What is a 'Magic Number' or 'File Signature'?
A.The checksum of the file
B.A unique sequence of bytes at the beginning of a file identifying its format
C.The file size in bytes
D.The timestamp of creation
Correct Answer: A unique sequence of bytes at the beginning of a file identifying its format
Explanation:
Magic numbers (e.g., FF D8 for JPEG) are used by the OS and forensic tools to identify the file type regardless of the extension.
Incorrect! Try again.
41Which character encoding standard uses variable length (1 to 4 bytes) to represent text and covers almost all world languages?
A.ASCII
B.UTF-8
C.EBCDIC
D.Base64
Correct Answer: UTF-8
Explanation:
UTF-8 is a Unicode implementation that uses variable byte lengths to encode characters from virtually all written languages.
Incorrect! Try again.
42In 'Little Endian' byte ordering, how is the hexadecimal value 0x1234 stored in memory?
A.34 12
B.12 34
C.34 34
D.12 12
Correct Answer: 34 12
Explanation:
Little Endian stores the least significant byte first. So, 0x1234 becomes 34 followed by 12.
Incorrect! Try again.
43Which tool allows an examiner to view and edit the raw binary data of a file or disk?
A.Hex Editor
B.Registry Editor
C.Compiler
D.Word Processor
Correct Answer: Hex Editor
Explanation:
A Hex Editor displays the raw binary content of a file in hexadecimal and ASCII, allowing low-level analysis.
Incorrect! Try again.
44The $Bitmap file in NTFS serves what purpose?
A.Tracks the allocation status (used/unused) of clusters
B.Stores file names
C.Encrypts the drive
D.Stores the boot code
Correct Answer: Tracks the allocation status (used/unused) of clusters
Explanation:
The $Bitmap file contains a bit array where each bit represents a cluster; a 1 means the cluster is used, and 0 means it is free.
Incorrect! Try again.
45What is the standard sector size for 'Advanced Format' (4Kn) drives?
A.512 bytes
B.1024 bytes
C.2048 bytes
D.4096 bytes
Correct Answer: 4096 bytes
Explanation:
Modern large-capacity drives often use the Advanced Format with a physical sector size of 4096 bytes (4KB) to improve efficiency and error correction.
Incorrect! Try again.
46Which Linux command is commonly used to list block devices and their file systems?
A.lsblk
B.grep
C.netstat
D.ps
Correct Answer: lsblk
Explanation:
lsblk (list block devices) is used to display information about all available or specified block devices.
Incorrect! Try again.
47What is the purpose of the 'Hard Link' in Linux?
A.A pointer to the same inode as the original file
B.A copy of the file in a different partition
C.A link to a web address
D.A shortcut to a file
Correct Answer: A pointer to the same inode as the original file
Explanation:
A hard link points directly to the inode of the file. Deleting the original filename does not delete the data if a hard link still exists.
Incorrect! Try again.
48In a Windows Boot Process, what is the function of 'Winload.exe'?
A.It performs the POST
B.It formats the hard drive
C.It loads the OS kernel (ntoskrnl.exe) and core drivers
D.It manages the user login
Correct Answer: It loads the OS kernel (ntoskrnl.exe) and core drivers
Explanation:
Winload.exe is invoked by the Boot Manager to load the operating system kernel and boot-start device drivers.
Incorrect! Try again.
49Which interface is designed specifically to overcome the speed bottlenecks of SATA for SSDs?
A.SCSI
B.USB 2.0
C.NVMe
D.PATA
Correct Answer: NVMe
Explanation:
NVMe (Non-Volatile Memory Express) operates over the PCIe bus, providing much higher bandwidth and lower latency than SATA.
Incorrect! Try again.
50JBOD stands for:
A.Just a Bunch of Disks
B.Journaled Block Operation Data
C.Joint Boot Operation Disk
D.Just Boot On Demand
Correct Answer: Just a Bunch of Disks
Explanation:
JBOD refers to a collection of hard disks that are not configured in a RAID array; they appear as separate disks or a spanned volume without redundancy or striping.