CHFI Anti-Forensics Techniques 3

Question 1

How can a forensic investigator detect timestomping on a Windows NTFS volume?

Accepted Answer

By comparing $MFT timestamps against $LogFile and $UsnJrnl entries for inconsistencies

Answer

Investigators can detect timestomping by comparing timestamps recorded in the $MFT with those in the $LogFile and $UsnJrnl change journal, which may show discrepancies when MAC times have been manipulated.

Question 2

What is 'file system tunneling' as exploited in anti-forensics on Windows?

Accepted Answer

A Windows OS behavior that preserves original timestamps when a file is deleted and recreated with the same name within a short window

Answer

File system tunneling is a Windows feature that preserves original creation timestamps when a file is deleted and a new file with the same name is created within roughly 15 seconds, which attackers can exploit to maintain falsely consistent timestamps.

Question 3

Which forensic recovery method is specifically used to recover files subjected to anti-forensic deletion by searching for file headers and footers in raw disk data?

Accepted Answer

File carving (data carving)

Answer

File carving recovers files by scanning raw disk data for known file headers and footers, bypassing file system structures that may have been manipulated, deleted, or corrupted.

Question 4

What is the goal of 'artifact wiping' as an anti-forensics technique?

Accepted Answer

To remove all forensic traces of a tool's presence including registry entries, prefetch files, and log entries

Answer

Artifact wiping aims to remove all traces of a tool's execution, including registry keys, prefetch files, event logs, and temp files, preventing investigators from determining which tools were run on the system.

Question 5

What disk regions, not normally reported by the OS, can be used to hide data as an advanced anti-forensics technique?

Accepted Answer

Host Protected Area (HPA) and Device Configuration Overlay (DCO)

Answer

The Host Protected Area (HPA) and Device Configuration Overlay (DCO) are disk regions invisible to the operating system and most forensic tools by default, making them useful for hiding data from investigators.

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI Anti-Forensics Techniques 3