Computer Hacking Forensic Investigator (CHFI v10) — Question 563

A CHFI has been tasked to analyze Windows Security Logs in a highly complex and multi-layered security breach investigation. The breach involved an account creation, privilege escalation, and the installation of a service, all happening sequentially within a short duration. The investigator is required to retrieve a combination of Event IDs that would chronologically corroborate these events. Which combination of Event IDs should the investigator focus on?

Answer options

• A. Event ID 624, Event ID 4670, and Event ID 6011
• B. Event ID 624, Event ID 500, and Event ID 7045
• C. Event ID 4720, Event ID 4672, and Event ID 7045
• D. Event ID 4720, Event ID 500, and Event ID 6011

Correct answer: C

Explanation

The correct answer is C because Event ID 4720 indicates a user account creation, Event ID 4672 signifies a privilege escalation, and Event ID 7045 logs the installation of a service. The other options do not provide the correct sequence of events related to account creation and privilege escalation, which are critical for the investigation.