312-49v10 Exam QuestionsBrowse all questions from this exam
Go to Exam

312-49v10 Exam - Question 542

A forensics investigator is studying the Event ID logs on a domain controller for a corporation, following a suspected security breach. He notices that a domain user account was created, then modified, and then added to a group in a very short span of time. The investigator realizes that he must cross-verify the audit policies on the local system to understand if any changes were made to it. Assuming that the investigator has the correct audit policy settings, which of the following Event IDs should he focus on?

Show Answer
Correct Answer: D

For an investigator focusing on changes to audit policies, Event ID 612 is crucial because it specifically logs changes made to the audit policy itself. To understand if any changes were made to the audit policies on the local system, Event ID 612 must be reviewed. The other Event IDs mentioned relate to user account creation, modification, or lockouts, which do not provide information regarding audit policy changes.

Discussion

1 comment
Sign in to comment
ElbOption: C
May 29, 2024

Event ID 624 - User Account Created Event ID 642 - User Account Changed Event ID 644 - User Account Locked out Event ID 612 - Audit Policy Change