Which data source is most reliable for reconstructing the creation events of user accounts on a Windows server?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

Which data source is most reliable for reconstructing the creation events of user accounts on a Windows server?

Explanation:
To accurately reconstruct when user accounts were created on a Windows server, you need a complete, non-altered snapshot of the system’s storage so you can examine the historical records that document those events. A forensic image preserves the Security event logs, which record account creation events (with exact timestamps and who performed the action), as well as the SAM/registry data that ties accounts to SIDs and other identifying details. An acquired disk image lets you analyze these artifacts in a forensically sound way, even if the original system has been altered or logs rotated since the events occurred. Volatile data is unreliable for this purpose because it lives in memory and disappears when the machine powers down. Recreating accounts from memory is not credible, and while reviewing SIDs in the registry can provide clues about accounts, it does not reliably show when those accounts were created or provide a complete activity timeline.

To accurately reconstruct when user accounts were created on a Windows server, you need a complete, non-altered snapshot of the system’s storage so you can examine the historical records that document those events. A forensic image preserves the Security event logs, which record account creation events (with exact timestamps and who performed the action), as well as the SAM/registry data that ties accounts to SIDs and other identifying details. An acquired disk image lets you analyze these artifacts in a forensically sound way, even if the original system has been altered or logs rotated since the events occurred.

Volatile data is unreliable for this purpose because it lives in memory and disappears when the machine powers down. Recreating accounts from memory is not credible, and while reviewing SIDs in the registry can provide clues about accounts, it does not reliably show when those accounts were created or provide a complete activity timeline.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy