Final answer:
The least likely source to contain useful information about files that were changed on a Windows system is Event logs, as they usually track system events rather than specific file changes.
Step-by-step explanation:
Mike is looking for information about files that were changed on a Windows system. The option least likely to contain useful information for this investigation would be C. Event logs. Here's why:
- The MFT or Master File Table is a critical system file in NTFS volumes. It contains records for each file and directory on an NTFS logical volume. Therefore, it would provide information about files and when they were modified.
- INDX files contain indexes of files and directories, which can sometimes include information about file modifications, so they might be of use in such an investigation.
- Volume shadow copies are snapshots of a disk volume that can reflect changes made to files or the state of files at a certain point in time.
- However, Event logs typically track system-wide events such as system logon events, service start-ups, and hardware or application failures rather than file-level changes like modifications to file content or attributes. Thus, they are the least likely to contain the specific information Mike is looking for.