Which artifacts are typically examined in disk-based forensics to understand user activity?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which artifacts are typically examined in disk-based forensics to understand user activity?

Explanation:
Disk-based forensics builds a timeline of what a user did by pulling from durable traces left on storage. The file system metadata, such as registry data, MFT records, and artifact metadata, stores detailed, persistent information about actions: when files were created, modified, or accessed; what programs were configured to run and when; and metadata about various artifacts that helps link events across the disk. These elements survive reboots and program removal, making them the most reliable source for reconstructing user activity after the fact. In contrast, live processes, loaded modules, and network connections reflect current or in-memory state rather than historical, non-volatile evidence. They can be informative in a live analysis but aren’t as dependable for building a post-incident activity timeline from disk.

Disk-based forensics builds a timeline of what a user did by pulling from durable traces left on storage. The file system metadata, such as registry data, MFT records, and artifact metadata, stores detailed, persistent information about actions: when files were created, modified, or accessed; what programs were configured to run and when; and metadata about various artifacts that helps link events across the disk. These elements survive reboots and program removal, making them the most reliable source for reconstructing user activity after the fact.

In contrast, live processes, loaded modules, and network connections reflect current or in-memory state rather than historical, non-volatile evidence. They can be informative in a live analysis but aren’t as dependable for building a post-incident activity timeline from disk.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy