Question 104 of 1,000
Computer Forensics LabhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the $UsnJrnl entry reveals the file was modified, and the system updated the last access time when the file was opened for reading, causing the discrepancy. This occurs because Windows, by default, updates the NTFS last access time on read operations, and the $UsnJrnl (Update Sequence Number Journal) logs both metadata changes and file modifications in a sequential record. On the CHFI exam, this tests your understanding of how NTFS forensic artifacts—like the $UsnJrnl and $MFT timestamps—can conflict with user claims, a common trap where candidates overlook that the system can update last access times independently of user activity. Remember the key distinction: the $UsnJrnl tracks the *why* (modification), while the $MFT shows the *when* (access). Memory tip: “USN logs the cause, MFT logs the pause.”

CHFI Computer Forensics Lab Practice Question

This CHFI practice question tests your understanding of computer forensics lab. Compare every option against the stated constraints before choosing — the best answer satisfies all requirements, not just the most obvious one. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

=== File System Analysis Report ===
Drive: /dev/sda1 (NTFS)
Inode: 2345
File: critical_data.docx
Creation Time: 2024-03-10 09:15:00 UTC
Last Modified: 2024-03-10 09:20:00 UTC
Last Access: 2024-03-10 09:25:00 UTC
$LogFile Sequence Number: 123456
$UsnJrnl: Entry 7890
=== End of Report ===

Refer to the exhibit. A forensic examiner is analyzing a Windows system and sees the above NTFS file metadata. The user claims the file was last accessed at 09:15. Which of the following best explains the discrepancy?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Full question →

Exhibit

Refer to the exhibit.

=== File System Analysis Report ===
Drive: /dev/sda1 (NTFS)
Inode: 2345
File: critical_data.docx
Creation Time: 2024-03-10 09:15:00 UTC
Last Modified: 2024-03-10 09:20:00 UTC
Last Access: 2024-03-10 09:25:00 UTC
$LogFile Sequence Number: 123456
$UsnJrnl: Entry 7890
=== End of Report ===

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The $UsnJrnl entry shows the file was modified, and the last access time was updated by the system when the file was opened for reading

Option A is correct because the $UsnJrnl (Update Sequence Number Journal) records that the file was modified, and on Windows systems, when a file is opened for reading, the last access time is updated by default. The discrepancy arises because the user claims the file was last accessed at 09:15, but the NTFS metadata shows a different last access time, which could be due to the system updating the last access time upon modification or read operations, as recorded in the $UsnJrnl.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The $UsnJrnl entry shows the file was modified, and the last access time was updated by the system when the file was opened for reading

    Why this is correct

    The $UsnJrnl records changes; the last access time is updated on read operations, explaining the later timestamp.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The system has disabled last access time updates, so the reported times are unreliable

    Why it's wrong here

    If disabled, the last access time would not change; here it changed to 09:25, so updates are enabled.

  • The creation time is earlier than the last access, indicating the file was copied from another volume

    Why it's wrong here

    Creation time being earlier than last access is normal; no indication of copying.

  • The $LogFile sequence number indicates a transaction rollback that reset the timestamps

    Why it's wrong here

    $LogFile is for file system transactions, not for timestamp adjustments.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that last access time updates are always disabled or unreliable, but the trap here is that the $UsnJrnl entry confirms the file was modified, which can trigger a last access time update, making the user's claim inconsistent with the system's logged activity.

Detailed technical explanation

How to think about this question

The $UsnJrnl is a sparse file that records all changes to files on an NTFS volume, including modifications, deletions, and access time updates. When a file is opened for reading, Windows may update the last access time (depending on the registry setting and file system policy), and this update is logged in the $UsnJrnl. In real-world forensic analysis, the $UsnJrnl can provide a timeline of file activity, helping to correlate user claims with system behavior, especially when timestamps are manipulated or inconsistent.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A practitioner preparing for the CHFI exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CHFI practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CHFI practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CHFI question test?

Computer Forensics Lab — This question tests Computer Forensics Lab — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The $UsnJrnl entry shows the file was modified, and the last access time was updated by the system when the file was opened for reading — Option A is correct because the $UsnJrnl (Update Sequence Number Journal) records that the file was modified, and on Windows systems, when a file is opened for reading, the last access time is updated by default. The discrepancy arises because the user claims the file was last accessed at 09:15, but the NTFS metadata shows a different last access time, which could be due to the system updating the last access time upon modification or read operations, as recorded in the $UsnJrnl.

What should I do if I get this CHFI question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CHFI practice question is part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CHFI exam.