CHFI Anti-Forensics Techniques 3

Question 1

How can a forensic investigator detect timestomping on a Windows NTFS volume?

Accepted Answer

By comparing $MFT timestamps against $LogFile and $UsnJrnl entries for inconsistencies

Answer

By comparing file MD5 hashes against known-good databases

Answer

By running a full antivirus scan on the volume

Answer

By capturing and analyzing live network traffic logs

Question 2

What is 'file system tunneling' as exploited in anti-forensics on Windows?

Accepted Answer

A Windows OS behavior that preserves original timestamps when a file is deleted and recreated with the same name within a short window

Answer

Creating hidden network tunnels through firewalls to exfiltrate data

Answer

Hiding data in NTFS volume boot record sectors

Answer

Encrypting individual files within a VeraCrypt container

Question 3

Which forensic recovery method is specifically used to recover files subjected to anti-forensic deletion by searching for file headers and footers in raw disk data?

Accepted Answer

File carving (data carving)

Answer

Hash verification

Answer

Event log analysis

Answer

Live network traffic capture

Question 4

What is the goal of 'artifact wiping' as an anti-forensics technique?

Accepted Answer

To remove all forensic traces of a tool's presence including registry entries, prefetch files, and log entries

Answer

To encrypt disk artifacts using symmetric encryption

Answer

To hide executable files in alternate NTFS data streams

Answer

To modify network packet headers to remove source IP addresses

Question 5

What disk regions, not normally reported by the OS, can be used to hide data as an advanced anti-forensics technique?

Accepted Answer

Host Protected Area (HPA) and Device Configuration Overlay (DCO)

Answer

FAT table entries and directory clusters

Answer

NTFS alternate data streams and reparse points

Answer

Volume shadow copies and restore points

Question 6

Which technique allows an attacker to hide malicious code inside a legitimate-looking program so it bypasses casual inspection?

Accepted Answer

Trojan horse embedding

Answer

Slack space data hiding

Answer

File system tunneling

Answer

Registry key obfuscation

Question 7

What does 'counter-forensics' refer to from a forensic investigator's perspective?

Accepted Answer

Investigator techniques and tools used to detect, overcome, and document anti-forensic measures

Answer

The use of forensic tools to analyze captured network traffic packets

Answer

Destroying digital evidence before it can be collected by law enforcement

Answer

Encrypting forensic disk images for secure chain-of-custody storage