Computer Hacking Forensic Investigator (CHFI v10) — Question 458

In a recent cybercrime investigation, a forensic analyst found that the suspect had used anti-forensic techniques to complicate the investigation process. The criminal had been working to erase data, manipulate metadata, and employ encryption, which made the investigation significantly more complex. Which of the following scenarios would indicate that the suspect had overwritten data and metadata in an attempt to evade investigation?

Answer options

• A. The investigator detects that the suspect used VeraCrypt for full-volume encryption to protect critical files
• B. AnalyzeMFT tool reveals inconsistencies between $STANDARD_INFORMATION and $FILE_NAME attributes in the NTFS file system
• C. The investigator finds the disk has been completely formatted, wiping its address tables and unlinking all files in the file system
• D. The investigator finds the majority of the hard drive's sectors contain the null character, indicating usage of disk wiping utilities

Correct answer: D

Explanation

The correct answer, D, indicates that the majority of the hard drive's sectors contain the null character, which is a clear sign of data being overwritten by disk wiping utilities. Option A relates to encryption, which does not necessarily indicate data overwriting. Option B points to inconsistencies in file attributes but does not confirm data erasure. Option C refers to complete formatting, which is different from overwriting existing data.