Virtual Labs

After deleting a file in an NTFS file system, how can you still recover its content?

a: By using the file's last access date Explanation

Explanation

b: By restoring the file from the Recycle Bin Explanation

Explanation

c: By locating the $DATA attribute in the Master File Table (MFT) Explanation

Explanation

d: By running a disk defragmentation Explanation

Explanation

What is a key forensic use of the Alternate Data Streams (ADS) in an NTFS file system?

a: To increase the speed of file access Explanation

Explanation

b: To hide additional data or malicious content within a file Explanation

Explanation

c: To compress files automatically Explanation

Explanation

d: To store file permissions Explanation

Explanation

What is the importance of extracting the Master File Table (MFT) from a file system image during forensic analysis?

a: To identify suspicious files and track file activity Explanation

Explanation

b: To format the drive for future use Explanation

Explanation

c: To increase the size of the file system Explanation

Explanation

d: To reduce the number of files on the system Explanation

Explanation

Which NTFS attribute is crucial for determining when a file was created, modified, or accessed?

a: $STANDARD_INFORMATION Explanation

Explanation

b: $BITMAP Explanation

Explanation

c: $INDEX_ALLOCATION Explanation

Explanation

d: $LOGFILE Explanation

Explanation

How does the $LogFile attribute assist digital forensic experts in NTFS investigations?

a: It stores user credentials for accessing protected files Explanation

Explanation

b: It maintains transactional records of file system changes Explanation

Explanation

c: It keeps copies of deleted file contents Explanation

Explanation

d: It compresses the Master File Table for efficiency Explanation

Explanation

Why is analyzing unallocated clusters important during NTFS forensic investigations?

a: They often contain fragments of deleted files that can be recovered Explanation

Explanation

b: They are used to store NTFS boot records Explanation

Explanation

c: They automatically overwrite hidden ADS data Explanation

Explanation

d: They help speed up disk read operations Explanation

Explanation