Computer Hacking Forensic Investigator (CHFI v10) — Question 368

NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF?

Answer options

• A. Encrypted FEK
• B. Checksum
• C. EFS Certificate Hash
• D. Container Name

Correct answer: B

Explanation

The correct answer is B, as the Checksum is not part of the Data Decryption Field. The Encrypted FEK, EFS Certificate Hash, and Container Name are essential components stored in the DDF to facilitate the decryption of the file, while the Checksum is used for data integrity and is not included in the DDF.