CompTIA CySA+ (CS0-002) — Question 123

An analyst needs to forensically examine a Windows machine that was compromised by a threat actor. Intelligence reports state this specific threat actor is characterized by hiding malicious artifacts, especially with alternate data streams. Based on this intelligence, which of the following BEST explains alternate data streams?

Answer options

• A. A different way data can be streamlined if the user wants to use less memory on a Windows system for forking resources.
• B. A way to store data on an external drive attached to a Windows machine that is not readily accessible to users.
• C. A Windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files inside the file records of a benign file.
• D. A Windows attribute that can be used by attackers to hide malicious files within system memory.

Correct answer: C

Explanation

The correct answer is C because alternate data streams allow for the storage of additional information within a file, making it possible to hide malicious content within a benign file's data structure. Option A incorrectly describes resource management rather than data hiding, B refers to external storage which is not relevant to alternate data streams, and D misrepresents the function of alternate data streams as they are not used to hide files in system memory.