GIAC Certified Enterprise Defender (GCED) — Question 11

You have been tasked with searching for Alternate Data Streams on the following collection of Windows partitions; 2GB FAT16, 6GB FAT32, and 4GB NTFS. How many total Gigabytes and partitions will you need to search?

Answer options

• A. 4GBs of data, the NTFS partition only.
• B. 12GBs of data, the FAT16, FAT32, and NTFS partitions.
• C. 6GBs of data, the FAT32 partition only.
• D. 10GBs of data, both the FAT32 and NTFS partitions.

Correct answer: C

Explanation

The correct answer is C because the FAT32 partition is the only one that supports Alternate Data Streams. The FAT16 partition does not support this feature, and while the NTFS partition does, the question specifically asks for the FAT32 partition, which has 6GB of data. Options A, B, and D are incorrect as they either include partitions that do not support Alternate Data Streams or miscalculate the total data to be searched.