Computer Hacking Forensic Investigator (CHFI v10) — Question 398

A digital forensic investigator examines a Windows system to identify suspicious activity related to a recent cyber incident. She has collected volatile and non-volatile registry hives for analysis. The investigator has noticed modifications in a user's profile settings, including changes in desktop wallpaper and screen colors. Which hive and component cells in the registry should she examine more closely for further evidence of user-specific activity?

Answer options

• A. Examine HKEY_CLASSES_ROOT; focus on security descriptor cells and value cells
• B. Examine HKEY_LOCAI MACHINE; focus on value cells and subkey list cells
• C. Examine HKEY_CURRENT_CONFIG: focus on subkey list cells and value cells
• D. Examine HKEY_CURRENT_USER; focus on key cells and value list cells

Correct answer: D

Explanation

The correct answer is D because HKEY_CURRENT_USER contains the settings and preferences specific to the logged-in user, including profile settings like desktop wallpaper and screen colors. The other options focus on different hives that do not pertain to user-specific configurations, making them less relevant for this investigation.