Chapter 30 — Exercises
Twenty-nine problems in seven groups (A–G), mixing concept checks, hands-on labs (run an entropy scan, compare
$SI`/`$FN, hunt the wiping tool, carve a slack region, build the concealment timeline, write the findings, calculate an entropy value, verify a hash), and judgment questions about when an absence is a finding and when it is only a lead. Hands-on labs assume a practice image and the toolset (Eric Zimmerman tools, The Sleuth Kit, Autopsy,hdparm) from Appendix J — Practice Images and Lab Setup. (answer in Appendix) = worked solution in Answers to Selected. ⭐ = stretch. Everything here is detection, never evasion — and every command runs against a verified working copy, never the original.
Group A — Secure deletion and the wiping mythology
30.1 A client's spinning hard drive had a single zero-pass run across one partition by a disgruntled former employee, and the client has paid a "deep magnetic recovery" lab a deposit on the promise of getting the data back. (a) Explain, in terms a non-technical client will understand, why a single overwrite on a modern HDD makes the original data unrecoverable. (b) Cite the empirical study and the NIST publication that support your position. (c) Write the two-sentence statement you would give the client that is honest, kind, and protects them from being defrauded by the other lab. (answer in Appendix)
30.2 Match each sanitization method to the media it is appropriate for, and flag the one mismatch that is both unnecessary and unreliable: (i) single-pass overwrite, (ii) DoD 5220.22-M three-pass, (iii) Gutmann 35-pass, (iv) ATA SECURITY ERASE UNIT, (v) SANITIZE crypto-scramble on a self-encrypting drive — applied to (A) a 2009 magnetic HDD, (B) a modern SATA SSD, (C) a self-encrypting NVMe drive. For each of (ii) and (iii), state in one sentence why it persists in tool menus despite being obsolete on current media.
30.3 ⭐ Calculate the entropy. Shannon entropy in bits/byte is H = −Σ pᵢ·log₂(pᵢ). (a) A 65,536-byte window contains only two byte values, 0x00 and 0xFF, in exactly equal proportion. Compute H and state which anti-forensic (or innocent) phenomenon it is consistent with. (b) A second 65,536-byte window contains all 256 possible byte values, each occurring exactly 256 times. Compute H. (c) Both a single-pass random wipe and an encrypted container would produce a window like (b). Explain why entropy alone cannot distinguish them, and name the one category of evidence that does.
30.4 A drive region reads as hundreds of megabytes of contiguous 00 bytes in what the file system marks as unallocated space. Give three distinct hypotheses for this observation — at least one deliberate (anti-forensic) and at least one entirely innocent — and, for each, name the single corroborating check that would confirm or rule it out. Then state the reporting rule that follows when you cannot rule out the innocent explanations.
Group B — Evidence-destruction tools and the artifacts they leave
30.5 A "PC cleaner" was run on a Windows 10 workstation. List four distinct artifact families that record the execution of that cleaner even though the cleaner's whole purpose was to erase evidence, and for each, name the specific file or registry location and what it contributes (presence, execution, run count, user attribution, or configuration). Then state the one-sentence reason these artifacts survive: why can a tool not erase the record of its own running? (answer in Appendix)
30.6 You parse CCLEANER64.EXE-A1B2C3D4.pf with PECmd and it reports run count 3, last run 2024-03-16 09:14:22, and earlier runs on March 12 and March 9. The SOFTWARE\Piriform\CCleaner key has "wipe free space" enabled, and UserAssist in jrivera's NTUSER.DAT shows the GUI launch. (a) Explain why these three independent artifacts together are far stronger than any one alone. (b) Which artifact proves execution (not mere presence), and which binds the run to the user account? (c) What would you check next to learn whether the same cleaner ran unattended on a schedule?
30.7 ⭐ Lab — inventory the toolkit. On a practice image known to contain anti-forensic activity, build a complete inventory of evidence-destruction tooling. (a) Search Prefetch, Amcache (AmcacheParser), and the SOFTWARE/NTUSER Uninstall and application keys for CCleaner, Eraser, BleachBit, and sdelete (look for the SDelete EULA-accept registry value). (b) Parse C:\Windows\System32\Tasks\ for any recurring secure-delete job, recording its author SID and creation time. (c) Produce a table: tool, evidence of presence, evidence of execution (with timestamp), and the artifact that attributes it to a user. (d) State why "the set of tools present is itself characterizing evidence."
30.8 After a free-space wipe, several NTUSER.DAT MRU keys (RecentDocs, TypedURLs, RunMRU) contain no values yet carry a key last-write time of 2024-03-16 09:14. (a) Explain precisely why "empty with a recent last-write time" means emptied, whereas "empty with an old last-write time" means never used. (b) The browser history ends cleanly at the same minute rather than tapering off. Why is an abrupt cut more suspicious than a gradual decline? (c) Name the surviving $Recycle.Bin` artifact that can still give you original path, size, and deletion time even after the `$R content is gone, and the minute it lands in the anchor timeline.
Group C — Timestomping: detecting the forged clock
30.9 NTFS stores two independent MACB timestamp sets per file. (a) Name both attributes, their type codes, and which one Windows Explorer displays. (b) State which set is user-settable through the normal API (name one API call) and which is kernel-maintained and hidden from user mode. (c) Explain in one sentence why that asymmetry is "the gift" that makes timestomping reliably detectable. (answer in Appendix)
30.10 Lab — read the contradiction. Given this istat excerpt for the anchor file (record 84120 on WS-ENG-04.E01):
$STANDARD_INFORMATION: Created 2022-02-11 10:00:00.0000000 Modified 2022-02-11 10:00:00.0000000
MFT Modified 2024-03-16 09:13:58.6042217 Accessed 2022-02-11 10:00:00.0000000
$FILE_NAME: Created 2024-03-15 18:58:13.4471902 Modified 2024-03-15 18:58:13.4471902
(a) Identify the single impossibility that proves the $SI` Created value is forged. (b) Two *additional* tells are visible in this output — name both (one about sub-second fractions, one about a field the tool failed to control). (c) The `$SI MFT-Modified field reads 2024-03-16 09:13:58 — explain what real-world event that timestamp most likely captures, and why the tool could not prevent it.
30.11 A forged timestamp reads ...10:00:00.0000000 while genuine timestamps elsewhere on the same volume read ...18:58:13.4471902. (a) What does the all-zero sub-second fraction indicate, and which classic tool is known for producing it? (b) Why is this tell weaker on its own than the $SI`-older-than-`$FN contradiction? (c) Describe a scenario in which sub-seconds could legitimately be zero, so you do not cry wolf.
30.12 ⭐ The NTFS change journal ($Extend\$UsnJrnl:$J) holds a FileCreate record for the suspect file stamped 2024-03-15 18:58 and a BasicInfoChange record at 2024-03-16 09:13:58. (a) Explain why the USN journal is harder for a timestomping tool to defeat than the file's own MFT timestamps. (b) What does the BasicInfoChange record at 09:13:58 most likely represent? (c) Name two other independent clocks (from Chapter 16's artifacts) that recorded this file's real activity and that the suspect did not know to forge. (d) State the principle: "when one timestamp contradicts ten, ______."
30.13 A high-stakes case rests on a $SI`/`$FN contradiction, and opposing counsel will argue the examiner is naive about advanced tooling. (a) Name the category of tool (and one example) that can manipulate $FN` itself, defeating a naive `$SI-vs-$FN`-only check. (b) List the three additional corroborating sources you would cite so your conclusion does not rest on `$FN alone. (c) Write the one-sentence limitation you would volunteer on direct examination so the defense cannot spring it on cross.
Group D — Log wiping and tampering
30.14 A workstation's Security.evtx is suspiciously short. (a) Which event ID does Windows write when the Security log is cleared, and what three facts does it record? (b) Which event ID, in which log, fires when a non-Security log is cleared? (c) Beyond the self-announcing event, name two structural tells of a cleared log on a machine you can prove was running for months. (answer in Appendix)
30.15 Calculate the gap. In a Security.evtx sorted by EventRecordID, two physically adjacent on-disk records carry IDs 50,201 and 50,940, with no records between them and no 1102 present. (a) How many records are missing? Show the arithmetic. (b) Why does the absence of a 1102 point to surgical record deletion rather than a full clear? (c) Name the two chunk-header fields and the checksum that a crude editing tool fails to reconcile, turning the edit into a verifiable corruption. (d) Where else, besides the active log, might the deleted records survive as carvable fragments — and what 4-byte marker do you carve for?
30.16 ⭐ Lab — Linux log tampering. On a practice Linux image, examine: (a) /var/log/auth.log and syslog for truncation or rotation/sequence gaps against a machine you can prove was up (boot records); (b) wtmp/btmp with utmpdump, looking for zeroed or structurally broken login entries among intact ones; (c) ~/.bash_history for the classic tells of an active account — an empty or missing file, or a symlink to /dev/null. For (d), explain what journalctl --verify checks and what Forward Secure Sealing (FSS) would let you prove about post-hoc tampering.
30.17 Explain the deeper pattern that unifies Windows event-log clearing, surgical .evtx record deletion, Linux wtmp editing, and a wiped ~/.bash_history. Phrase it as one sentence in the form of theme #3, then give one concrete example of how the shape of the hole reveals what was removed (e.g., logons present in one log with no counterpart where they must appear).
Group E — Data hiding: ADS, slack, hidden areas, and signatures
30.18 NTFS alternate data streams (ADS). (a) Mechanically, what makes a stream "alternate" — what is different about its $DATA attribute in the MFT record? (b) Give the single cmd.exe switch and the single PowerShell idiom that enumerate streams. (c) Name the one ubiquitous, benign stream you must not cry wolf over, and explain why it is actually useful to an examiner. (d) Describe the anomaly that distinguishes a hiding place from that benign stream. (answer in Appendix)
30.19 Lab — parse a hidden stream. On a mounted practice image (read-only), a file report.docx shows, via dir /r, a stream report.docx:payload:$DATA of 1,144,320 bytes alongside the 18,432-byte unnamed stream. (a) Use fls/icat (the stream appears as file:stream) or Get-Item -Stream to extract the named stream to a separate file. (b) Run file on the extracted stream to identify its true type from its magic number. (c) Compute and record the SHA-256 of the extracted stream into your chain-of-custody worksheet, and write the one-line custody note documenting source image, working-copy hash, and tool. (d) Explain why a naive copy of report.docx to evidence storage would have silently destroyed this finding.
30.20 Lab — carve the slack. (a) Using The Sleuth Kit, extract only the slack space of the NTFS volume (blkls -s), then run strings and foremost against the output. (b) Explain why slack space contains recoverable remnants in the first place (tie it to the cluster/sector allocation model). (c) Name three other slack-like hiding regions besides file (cluster) slack. (d) State the dual-lens point: how the same slack region serves both the 💾 recovery technician and the 🔍 examiner.
30.21 ⭐ A 2-TB drive's manufacturer label reads "2,000,398,934,016 bytes," but your imager reports a smaller accessible capacity. (a) Name the two ATA features that hide sectors from the operating system, and which one hides capacity even from the other. (b) Give the two hdparm commands that detect each. (c) Why must this be checked at acquisition time rather than during analysis? (d) Explain how a naive image that copies only OS-visible LBAs becomes an incomplete — and impeachable — piece of evidence.
30.22 A file named vacation.jpg begins with the bytes 50 4B 03 04 14 00. (a) Decode the magic number — what file type is this really? (b) Name the detection technique and the two tools (one CLI, one Autopsy module) that catch it automatically. (c) Where in this book is the magic-number reference that lets you adjudicate header-vs-extension disputes? (d) Write the one habit this exercise is meant to instill, in the chapter's own words.
Group F — Encryption, steganography, and counter-attribution
30.23 Entropy as the tell. (a) Give the approximate Shannon-entropy bands for English text, native executables, already-compressed data (JPEG/ZIP), and strong ciphertext. (b) Explain why a sliding-window entropy scan locates candidates but never delivers a verdict about encryption. (c) List three application-level artifacts that corroborate a VeraCrypt container when you cannot open it. (d) Why can you not prove, from a disk image alone, that a VeraCrypt hidden volume exists inside an outer container? (answer in Appendix)
30.24 Steganography and its limits. (a) Distinguish LSB embedding (and its typical carriers) from DCT-coefficient embedding (and its typical carrier). (b) Name two steganalysis approaches and two tools. (c) In practice you "more often catch steganography by its surroundings than by cracking the carrier" — list three such surrounding artifacts. (d) Write the complete, professional finding for a case where you detect a high likelihood of LSB steganography but cannot extract the payload without the passphrase.
30.25 ⭐ Lab — Tor on a dead box. On a practice image with Tor Browser usage, enumerate the on-disk tells without running any live tooling: (a) the browser folder and the downloaded installer (and the ADS that records where it was downloaded from); (b) the execution artifacts that betray Tor was run from an unusual path; (c) the three Tor state files under ...\TorBrowser\Data\Tor\ and what each one's last-modified time approximates. (d) Explain why a live memory capture (had the machine been seized powered-on) would have been the richest Tor evidence of all, and what it would contain.
30.26 A suspect ran a VPN client and may have used a VeraCrypt container. (a) List four on-disk VPN artifacts (client install, configuration/logs, virtual adapter, autostart) and one network-side tell with a characteristic port. (b) Reframe the lesson for everyone: with Tor and VPNs you rarely recover content, yet three things remain as artifacts — name them, and give a one-line example of how timing correlation can rebuild a story the tunnel was meant to hide. (c) Why is the question of compelling the container password a matter for counsel and the court, not the keyboard — name the U.S. constitutional issue and one foreign statute.
Group G — The meta-method, judgment, and the progressive project
30.27 The absence of an expected artifact is a finding. (a) List four artifact baselines a Windows workstation in daily use for months should exhibit. (b) For each of "empty Prefetch," "short event log," "many zeroed clusters," and "empty $Recycle.Bin," give both the anti-forensic cause and at least one innocent cause. (c) State the discipline that converts a suspicious absence from a lead into a defensible finding. (answer in Appendix)
30.28 Two examiners review the same machine. One writes "the suspect wiped free space to destroy evidence." The other writes "a contiguous zeroed region in unallocated space is consistent with a free-space wipe; it coincides with the dated execution of CCleaner (09:14) and the dated emptying of several MRU keys (09:14); an innocent explanation such as a repurposed disk is not supported because the System log proves continuous use." (a) Which finding survives cross-examination, and why? (b) Identify the specific overreach in the first sentence. (c) Rewrite the first examiner's sentence so it is defensible while preserving its real weight.
30.29 ⭐ Write the report. Draft a 150–180-word "Anti-Forensic Indicators" section for the anchor case that counsel can rely on and that a competent cross-examiner could not impeach. Requirements: cite each indicator's artifact, tool, and timestamp; bind per-user artifacts to jrivera by name; cover at least three of the four concealment acts (timestomping, free-space wipe, Recycle-Bin emptying, dated MRU/history gaps); state at least two limitations explicitly; keep finding and inference separate; and assert no motive. Then flag, in one sentence, the spoliation implication for counsel.
30.30 Progressive project — the anti-forensics detection pass. Add this chapter's results to your Forensic Case File. (1) Wiping: run the Appendix B entropy scanner (or Autopsy's Encryption Detection module) across your image; flag contiguous zeroed and random regions; search $MFT` for deleted entries with junk-pattern names and zeroed data runs; inventory wiping-tool artifacts. (2) **Timestomping:** export `$SI and $FN` MACB sets with `MFTECmd`, filter for `$SI Created earlier than $FN` Created and for zeroed `$SI sub-seconds, and confirm any hit against the USN journal. (3) Log tampering: run EvtxECmd; search 1102/104; sort by EventRecordID for gaps; compare each log's earliest timestamp to System-log boot history. (4) Hiding: enumerate ADS, carve slack, run a signature-mismatch scan, and note high-entropy blobs. (5) Absence — carefully: for every conspicuous absence, write both the anti-forensic hypothesis and the innocent alternative, and mark findings you can defend versus leads you cannot yet confirm. (6) Add an "Anti-Forensic Indicators" table (indicator, artifact, tool, timestamp, limitation) to the case file and hash every extracted artifact into your chain-of-custody worksheet (Appendix F). You will fold this pass into the master report at Chapter 38 — The Capstone Investigation.
Self-check. You have mastered this chapter when, handed an image, you instinctively run the six-step detection pass and can do four things without overstating any of them: prove a wipe occurred (even where you cannot recover the data) and identify the tool by its own artifacts; expose a forged timestamp by playing
$SI` against `$FN, the USN journal, and the independent clocks; read a cleared or surgically edited log by its self-announcing events and broken sequence; and — hardest of all — reason from a dated absence while rigorously testing the innocent explanations and stating every limit. If you can build the concealment timeline in Group G and defend each line, including the lines that say "consistent with, but not conclusive of," you are ready for Chapter 31 — Cloud Forensics, where the evidence moves off the device entirely.