What is the essential tool to prevent alteration of evidence when imaging a drive?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

What is the essential tool to prevent alteration of evidence when imaging a drive?

Explanation:
Preventing alteration of evidence during imaging hinges on blocking all writes to the source drive. A write-blocker sits between the drive and the forensic workstation and provides read-only access, so imaging software can read every sector without making any changes to the original drive. This guarantees the evidence remains intact, allowing the produced image to be a faithful copy. With a write-blocker, you can compute and compare hashes on the image and the source to verify that no modifications occurred, including changes to metadata, slack space, or hidden data that could be triggered by normal OS activity. Other approaches like Safe Mode, antivirus, or a network sniffer don’t offer the same guaranteed protection against writes to the disk during imaging, so they don’t ensure the same level of evidentiary integrity.

Preventing alteration of evidence during imaging hinges on blocking all writes to the source drive. A write-blocker sits between the drive and the forensic workstation and provides read-only access, so imaging software can read every sector without making any changes to the original drive. This guarantees the evidence remains intact, allowing the produced image to be a faithful copy. With a write-blocker, you can compute and compare hashes on the image and the source to verify that no modifications occurred, including changes to metadata, slack space, or hidden data that could be triggered by normal OS activity.

Other approaches like Safe Mode, antivirus, or a network sniffer don’t offer the same guaranteed protection against writes to the disk during imaging, so they don’t ensure the same level of evidentiary integrity.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy