Which NTFS log is commonly reviewed to detect file system changes and potential hidden activity?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Get ready for the Cybersecurity and Digital Forensics Test with comprehensive multiple choice questions, flashcards, and detailed explanations. Enhance your skills and prepare for success in the digital security field!

Multiple Choice

Which NTFS log is commonly reviewed to detect file system changes and potential hidden activity?

Explanation:
The NTFS change-tracking mechanism called the USN Journal records a chronological stream of file system changes—creations, deletions, renames, moves, and attribute or content modifications. This makes it the best log for detecting file system activity, including hidden or stealthy actions, because investigators can see what happened to files over time, who touched them, when, and in what way. Each entry provides a reference to the file, the type of change, and a timestamp, enabling reconstruction of sequences of events and identification of suspicious patterns such as unexpected renames, rapid changes, or activity around sensitive files. In contrast, the Master File Table is a metadata map of files rather than a full change history, the $LogFile is a recovery-oriented transactional log used to restore metadata after crashes, and the $Bitmap tracks which clusters are in use without recording the timeline of changes.

The NTFS change-tracking mechanism called the USN Journal records a chronological stream of file system changes—creations, deletions, renames, moves, and attribute or content modifications. This makes it the best log for detecting file system activity, including hidden or stealthy actions, because investigators can see what happened to files over time, who touched them, when, and in what way. Each entry provides a reference to the file, the type of change, and a timestamp, enabling reconstruction of sequences of events and identification of suspicious patterns such as unexpected renames, rapid changes, or activity around sensitive files.

In contrast, the Master File Table is a metadata map of files rather than a full change history, the $LogFile is a recovery-oriented transactional log used to restore metadata after crashes, and the $Bitmap tracks which clusters are in use without recording the timeline of changes.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy