Computer Hacking Forensic Investigator (CHFI v10) — Question 301

A CHFI expert creates a forensics image of a pen drive using AccessData FTK Imager during a computer forensics investigation. The investigator uses The Sleuth Kit (TSK) to examine an ext4 file system on a Linux disk image and suspects data tampering. The expert decides to verify inode metadata for a critical file. However, he notes an unexpected block allocation in the inode details. Which TSK command-line tool and argument should the investigator utilize to examine the addresses of all allocated disk units for the suspicious inode?

Answer options

• A. fsstat -f ext4
• B. img_stat -i raw
• C. fls -o imgoffset
• D. istat -B num

Correct answer: D

Explanation

The correct answer is D, as the 'istat' command is specifically designed for examining inode information, including block addresses for a specified inode. The other options, while useful for other aspects of file system analysis, do not directly provide the detailed information required for allocated blocks associated with a specific inode.