Computer Hacking Forensic Investigator (CHFI v10) — Question 424

A forensic investigator is analyzing a Windows system for possible malicious activity. The investigator is specifically interested in the recent actions of a suspect on the system, including any deleted directories or files, mounted drives, and actions taken. Which of the following approaches and tools would be the most effective for obtaining this information?

Answer options

• A. Analyzing LNK files using ShellBags Explorer
• B. Investigating Jump Usts using ShellBagsView
• C. Parsing the BagMRU and Bags registry keys using SBag
• D. Examining the MRUListEx key and NodeSlot value in Windows Explorer

Correct answer: A

Explanation

The correct answer is A because LNK files, which are shortcut files in Windows, can provide detailed information about recently accessed files and directories, making them crucial for forensic investigations. Options B and C focus on other registry keys and tools that are less effective for directly analyzing user actions, while option D pertains to a specific registry key that does not provide as comprehensive insight into recent activities.