Exam 312-49v10 topic 1 question 788 discussion

C. Parsing the BagMRU and Bags registry keys using SBag This approach is the most effective for obtaining detailed information about recent actions, deleted directories, and mounted drives. It leverages the ShellBags data stored in the Windows registry, which includes valuable historical information about user interactions with the filesystem.

C: Parsing the BagMRU and Bags registry keys using SBag: This option aligns well with the CHFI v10 textbook’s emphasis on examining ShellBag data, which includes the BagMRU and Bags registry keys. SBag is designed to parse ShellBag information, making it an effective tool for analyzing accessed and deleted directories.

LNK is a file extension for shortcut files used by Windows OS to point to any executable files These files are created when a user/suspect accesses any local/remote file and can provide forensic investigator with valuable information on user activities on the system These artifacts also help forensic investigators find the LNK files associated with the original files that no longer exists on the target machine

The ShellBags contain information pertaining to the directories (accessed by the user) even after the directory is removed, which can be used to enumerate previously mounted drives, deleted files and User/Intruder action.

Analyzing ShellBags provides forensic investigators with data such as: ▪ Folders opened by user from a mounted external hard drive.

ShellBags are a set of registry keys which record the viewing preferences of folders of the user, such as their size, location and position, when using Windows Explorer. The information in these ShellBags plays a crucial role in the forensic investigation as it provides evidence related to folders accessed by a user.