Which statement is not correct when dealing with a powered-on computer at a crime scene?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

Which statement is not correct when dealing with a powered-on computer at a crime scene?

Explanation:
When a computer is powered on at a crime scene, the priority is to preserve the current state without altering any evidence. The safe approach is to document what’s visible and capture it with non-invasive methods, avoiding actions that could change data or memory. Powering on a machine that is switched off to take a screenshot is not correct because turning the device on can modify data, memory contents, file timestamps, and overall state. This change can contaminate evidence and undermine forensic integrity unless there is explicit authorization and a documented, approved procedure in place. The other scenarios align with non-invasive documentation. If the monitor is showing something, waking the display by gently moving the mouse—without clicking—and photographing the screen records what is present without altering it. If the display is on but blank, waking it slightly and photographing still captures the visible context. If the screen is viewable, recording the programs running and photographing the display helps document the system’s state at that moment. In all cases, the goal is to capture evidence as it exists, with minimal interaction that could modify it.

When a computer is powered on at a crime scene, the priority is to preserve the current state without altering any evidence. The safe approach is to document what’s visible and capture it with non-invasive methods, avoiding actions that could change data or memory.

Powering on a machine that is switched off to take a screenshot is not correct because turning the device on can modify data, memory contents, file timestamps, and overall state. This change can contaminate evidence and undermine forensic integrity unless there is explicit authorization and a documented, approved procedure in place.

The other scenarios align with non-invasive documentation. If the monitor is showing something, waking the display by gently moving the mouse—without clicking—and photographing the screen records what is present without altering it. If the display is on but blank, waking it slightly and photographing still captures the visible context. If the screen is viewable, recording the programs running and photographing the display helps document the system’s state at that moment. In all cases, the goal is to capture evidence as it exists, with minimal interaction that could modify it.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy