EC-Council
312-49V11 · Question #90
312-49V11 Question #90: Real Exam Question with Answer & Explanation
Sign in or unlock 312-49V11 to reveal the answer and full explanation for question #90. The question stem and answer options stay visible for context.
Question
An investigator is reviewing an NTFS file system for evidence of file activity during a cybercrime investigation. The investigator uses The Sleuth Kit's fls and mactime tools to extract and analyze timestamps related to file actions. These timestamps can provide critical insights into the sequence of events leading up to and during the incident. What kind of file information is the investigator likely focusing on to reconstruct the timeline?
Options
- AInvestigator focuses on the file creation time, last accessed time, and file modification time.
- BInvestigator analyzes the file system's internal structure, time-related metadata, and block
- CInvestigator checks the system's boot time and shutdown timestamps to understand the system's
- DInvestigator reviews the timestamps in Windows event logs for any recorded file access or
Unlock 312-49V11 to see the answer
You've previewed enough free 312-49V11 questions. Unlock 312-49V11 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.