Computer Hacking Forensic Investigator (CHFI v10) — Question 288

A large corporation has recently undergone a cyberattack. The forensic analyst finds suspicious activities in the Windows Event logs during the investigation. The analyst notes that a specific service on the machine has been frequently starting and stopping during the time of the attack. What event IDs should the analyst look for in the System log to confirm this suspicious behavior?

Answer options

• A. Event ID 7035 and Event ID 7036
• B. Event ID 1 and Event ID 7035
• C. Event ID 7031 and Event ID 7032
• D. Event ID 7036 and Event ID 7037

Correct answer: A

Explanation

Event ID 7035 indicates that a service control operation has been requested, while Event ID 7036 indicates that a service has changed its state. Both are crucial for confirming the starting and stopping of services. The other options contain event IDs that do not pertain to service start/stop activities, making them less relevant to the investigation.