Computer Hacking Forensic Investigator (CHFI v10) — Question 566

During a forensic investigation of a system suspected to be involved in cybercrime, the investigator observes discrepancies between the $STANDARD_INFORMATION and $FILE_NAME creation dates for some files. As part of the investigation process, the investigator also noted that a utility called BCWipe was found installed on the system. What would be the investigator's most plausible conclusion based on these observations?

Answer options

• A. The system user used BCWipe to delete specific files securely
• B. The system was compromised with malware that altered the metadata
• C. The files were encrypted using the BCWipe utility
• D. The timestamps for some files have been manipulated, possibly as an anti-forensic measure

Correct answer: D

Explanation

The correct answer is D because discrepancies in file timestamps often indicate tampering, which aligns with anti-forensic strategies. Option A suggests legitimate use of BCWipe, while B attributes the discrepancies to malware, and C implies encryption, none of which directly explain the observed metadata manipulation.