Which of the following statements is incorrect when preserving digital evidence?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

Which of the following statements is incorrect when preserving digital evidence?

Explanation:
Preserving digital evidence requires keeping the system in its current state and collecting data in a forensically sound way, so you don’t alter what you’re trying to prove. Turning on the computer to extract Windows event viewer log files would change the system’s state and potentially modify or overwrite data, which compromises the integrity of the evidence. Booting a machine solely to pull logs introduces new activity, alters timestamps, and can affect volatile data and the very logs you’re trying to rely on. The proper approach is to preserve the device as-is, document its current condition, and obtain evidence through non-intrusive means—such as creating a disk image and then extracting logs from the image or performing a live acquisition only if necessary and under validated procedures. The other steps—documenting observed actions and peripheral states, and dealing with power state in a controlled, evidence-preserving way—align with sound preservation practices.

Preserving digital evidence requires keeping the system in its current state and collecting data in a forensically sound way, so you don’t alter what you’re trying to prove. Turning on the computer to extract Windows event viewer log files would change the system’s state and potentially modify or overwrite data, which compromises the integrity of the evidence. Booting a machine solely to pull logs introduces new activity, alters timestamps, and can affect volatile data and the very logs you’re trying to rely on. The proper approach is to preserve the device as-is, document its current condition, and obtain evidence through non-intrusive means—such as creating a disk image and then extracting logs from the image or performing a live acquisition only if necessary and under validated procedures. The other steps—documenting observed actions and peripheral states, and dealing with power state in a controlled, evidence-preserving way—align with sound preservation practices.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy