Computer Hacking Forensic Investigator (CHFI v10) — Question 302

A CHFI professional is investigating a data breach in a Windows 10 system. The initial analysis revealed some alterations in the system event logs. As part of the investigation, the professional uses the ‘wevtutil’ command-line tool. The command ‘wevtutil gl Security’ was executed, but the results seemed abnormal. Which of the following could be a plausible reason for this outcome?

Answer options

• A. The command ‘wevtutil gl Security’ does not exist in the ‘wevtutil’ command set
• B. The ‘wevtutil’ command cannot retrieve data from XML-based EVTX file format
• C. The Event Log service was temporarily unresponsive or down
• D. The EVTX file storing the Security log was corrupted or tampered with

Correct answer: D

Explanation

The correct answer is D because a corrupted or tampered EVTX file can lead to abnormal results when querying the Security log. Options A and B are incorrect as the command exists and can access EVTX files, while option C does not account for the specific issue of log integrity.