Computer Hacking Forensic Investigator (CHFI v10) — Question 410

An investigator is conducting a forensic analysis on a Windows machine suspected of accessing the Dark Web. The investigator has found Tor browser artifacts, but the Tor browser has been uninstalled. Which of the following steps should the investigator take next to obtain more information on the user's activities?

Answer options

• A. Use the netstat -ano command to check the active network connections
• B. Check the prefetch files using a tool such as WinPrefetchView
• C. Look for the 'State' file in the \Tor Browser\Browser\TorBrowser\Data\Tor\ directory
• D. Examine the registry key: HKEY_USERS\\SOFTWARE\Mozilla\Firefox\Launcher for path information

Correct answer: B

Explanation

The correct answer is B, as analyzing prefetch files can provide insights into the applications that were run, including the Tor browser, and their usage patterns. Option A may show current connections but does not help in understanding past activities. Option C is irrelevant since the Tor browser has been uninstalled, and the 'State' file would not be present. Option D focuses on a registry key that is not directly related to Tor browser artifacts.