Which Windows artifact records changes to files and directories on NTFS volumes to aid timeline analysis?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which Windows artifact records changes to files and directories on NTFS volumes to aid timeline analysis?

Explanation:
The main idea here is that the USN Change Journal on NTFS is a built-in audit log that records every change to files and directories on a volume, creating a chronological record that can be used to reconstruct what happened when. Each entry captures what changed (create, delete, modify, rename, attribute change, etc.), when it happened, and which file or directory was affected, including enough details to map actions across the timeline. Because this journal preserves a sequence of events directly from the file system, it provides a reliable backbone for timeline analysis, even if file timestamps are manipulated or multiple artifacts point to the same event. Prefetch files track program startup behavior, not file-system changes themselves. LSASS memory holds sensitive credentials, not a history of file activity. Bash history is Linux shell activity, not Windows NTFS changes.

The main idea here is that the USN Change Journal on NTFS is a built-in audit log that records every change to files and directories on a volume, creating a chronological record that can be used to reconstruct what happened when. Each entry captures what changed (create, delete, modify, rename, attribute change, etc.), when it happened, and which file or directory was affected, including enough details to map actions across the timeline. Because this journal preserves a sequence of events directly from the file system, it provides a reliable backbone for timeline analysis, even if file timestamps are manipulated or multiple artifacts point to the same event.

Prefetch files track program startup behavior, not file-system changes themselves. LSASS memory holds sensitive credentials, not a history of file activity. Bash history is Linux shell activity, not Windows NTFS changes.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy