Computer Hacking Forensic Investigator (CHFI v10) — Question 140

You are a forensic investigator who is analyzing a hard drive that was recently collected as evidence. You have been unsuccessful at locating any meaningful evidence within the file system and suspect a drive wiping utility may have been used. You have reviewed the keys within the software hive of the Windows registry and did not find any drive wiping utilities. How can you verify that drive wiping software was used on the hard drive?

Answer options

• A. Check the list of installed programs
• B. Look for distinct repeating patterns on the hard drive at the bit level
• C. Document in your report that you suspect a drive wiping utility was used, but no evidence was found
• D. Load various drive wiping utilities offline, and export previous run reports

Correct answer: B

Explanation

The correct answer is B because analyzing the bit-level patterns on the hard drive can reveal evidence of data overwriting, which is characteristic of drive wiping utilities. Options A and D may not provide definitive proof, as installed programs may not always be listed, and loading utilities would not help in verifying past actions. Option C simply documents suspicion without confirming any evidence of drive wiping.