Computer Hacking Forensic Investigator (CHFI v10) — Question 2

What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

Answer options

• A. forensic duplication of hard drive
• B. analysis of volatile data
• C. comparison of MD5 checksums
• D. review of SIDs in the Registry

Correct answer: D

Explanation

The correct answer is D, as reviewing SIDs in the Registry provides a historical account of all user accounts that have been established on the server. Options A and B do not specifically address user account tracking, while option C relates to data integrity rather than user account history.