Computer Hacking Forensic Investigator (CHFI v10) — Question 436

A forensics investigator is studying the Event ID logs on a domain controller for a corporation, following a suspected security breach. He notices that a domain user account was created, then modified, and then added to a group in a very short span of time. The investigator realizes that he must cross-verify the audit policies on the local system to understand if any changes were made to it. Assuming that the investigator has the correct audit policy settings, which of the following Event IDs should he focus on?

Answer options

• A. Event ID 642
• B. Event ID 644
• C. Event ID 624
• D. Event ID 612

Correct answer: C

Explanation

Event ID 624 is related to user account management, specifically tracking changes such as account creation and group membership updates, making it the relevant choice for this scenario. The other Event IDs do not specifically pertain to the creation and modification of user accounts or their group memberships, thus they are not suitable for the investigation.