Computer Hacking Forensic Investigator (CHFI v10) — Question 453

A Computer Hacking Forensics Investigator (CHFI) is working on a case involving an encrypted file from a user profile that was deleted. The investigator knows that the file was encrypted using the Encrypted File System (EFS) on a Windows operating system. The system is still bootable, but the original user profile is gone, and the system administrator has reset the account password. What would be the most suitable tool to recover this EFS-encrypted file?

Answer options

• A. Shredlt, a disk wiping utility tool
• B. VeraCrypt, a widely used tool in anti-forensics encryption
• C. AnalyzeMFT, a tool for examining MACE times in NTFS file systems
• D. Advanced EFS Data Recovery, a tool for decrypting protected files

Correct answer: D

Explanation

The correct answer is D, as Advanced EFS Data Recovery is specifically designed to recover files encrypted with the Encrypted File System (EFS). The other options are not relevant to EFS encryption recovery; Shredlt is for wiping data, VeraCrypt focuses on encryption rather than recovery, and AnalyzeMFT is used for examining file system metadata, not for decrypting files.