Computer Hacking Forensic Investigator (CHFI v10) — Question 290

There's a digital forensics investigator delving into a case right now. The situation involves an SQL Server database that's been tampered with by an intruder. Some data from the database has vanished, and the real kicker is that there aren't any backup files to be found. The investigator's task is to recover as much data as possible. The investigator needs to understand which SQL Server data file will most likely assist in the data recovery. What should be the investigator's primary focus?

Answer options

• A. Page Header because it contains metadata about the page like page ID, page type
• B. LDF because it holds the log information associated with the database
• C. MDF because it stores all data in the database objects
• D. NDF because it can store additional data separate from the primary data file

Correct answer: B

Explanation

The correct answer is B, as the LDF file contains the transaction log, which records all changes made to the database. This log is crucial for data recovery since it provides a history of all transactions, allowing the investigator to restore lost data. The other options, while important, do not play as critical a role in data recovery as the transaction log does.