Computer Hacking Forensic Investigator (CHFI v10) — Question 176

On NTFS file system, which of the following tools can a forensic investigator use in order to identify timestomping of evidence files?

Answer options

• A. Exiv2
• B. analyzeMFT
• C. Timestomp
• D. wbStego

Correct answer: B

Explanation

The correct answer, analyzeMFT, is specifically designed to analyze the Master File Table of NTFS file systems, allowing investigators to uncover timestomping activities. While Timestomp is a tool for modifying timestamps, it does not help in identifying such alterations, and Exiv2 and wbStego are not focused on NTFS forensic analysis.