Computer Hacking Forensic Investigator (CHFI v10) — Question 414

A cybersecurity investigator has identified a potential incident of hidden information in a file. The investigator uses Autopsy's Extension Mismatch Detector Module to look for file extension mismatches. While examining the module's output, which of the following information should be mainly considered to verify the potential incident?

Answer options

• A. The file's size
• B. The first 20 bytes of the file
• C. The file's timestamp
• D. The last 20 bytes of the file

Correct answer: B

Explanation

The first 20 bytes of the file are critical because they often contain the magic numbers that identify the file type, helping to confirm a mismatch. The other options, such as file size, timestamp, or the last 20 bytes, do not provide as direct evidence regarding the file's true format and purpose.