Computer Hacking Forensic Investigator (CHFI v10) — Question 175

An attacker successfully gained access to a remote Windows system and plans to install persistent backdoors on it. Before that, to avoid getting detected in future, he wants to cover his tracks by disabling the last-accessed timestamps of the machine. What would he do to achieve this?

Answer options

• A. Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 0
• B. Run the command fsutil behavior set disablelastaccess 0
• C. Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1
• D. Run the command fsutil behavior set enablelastaccess 0

Correct answer: C

Explanation

The correct answer is C because setting the registry value to 1 will disable the last-accessed timestamps on the machine, effectively covering the attacker's tracks. Option A is incorrect as it enables last-accessed updates, while option B and option D are related to disabling or enabling the feature through command-line but do not achieve the desired effect of modifying the registry to prevent timestamp updates.