Computer Hacking Forensic Investigator (CHFI v10) — Question 298

An investigator analyzes event logs from a Windows 10 system for a suspected security breach. The investigator needs to find the logs related to account management events. A peculiar set of actions observed is an account creation followed by a change in the account within a short span of time. Which Event IDs should the investigator look for in the logs?

Answer options

• A. Event ID 102 and Event ID 299
• B. Event ID 1 and Event ID 2
• C. Event ID 624 and Event ID 642
• D. Event ID 301 and Event ID 400

Correct answer: C

Explanation

The correct answer is C, as Event ID 624 corresponds to account creation and Event ID 642 relates to account changes, making them relevant to account management. The other options do not pertain to account management events, thus are not suitable for this investigation.