CFE – Investigation — Question 17

Jackson, a digital forensic examiner for a government agency, is conducting a criminal investigation into the alleged embezzlement of funds from the government’s Welfare Department (WD). Ginny, a WD employee, is the prime suspect. Jackson obtains a court order authorizing him to seize Ginny’s personal computer for forensic examination. Which of the following is the MOST ACCURATE statement?

Answer options

• A. If Ginny’s computer is running, Jackson should perform a graceful shutdown by turning it off using the normal shutdown process.
• B. If Ginny’s computer is off, Jackson should not turn it on unless he plans to use an encryption device that can guarantee that the system’s hard drive will not be accessed during startup.
• C. If Ginny’s computer is running, Jackson may retrieve data from the computer directly via its normal interface is the evidence that he needs exists only in the form of volatile data.
• D. If Ginny’s computer is off and Jackson needs evidence that exists only in the form of volatile data, he should turn the computer on and retrieve data directly via the computer’s normal interface.

Correct answer: A

Explanation

The correct answer is A because performing a graceful shutdown is essential to prevent data loss or corruption, especially when the computer is running. Option B is incorrect as turning on the computer is necessary for accessing data, while C and D misunderstand the nature of volatile data, which would not be retrievable if the system is powered off without proper measures.