CFE – Investigation — Question 19

Which of the following is the LEAST ACCURATE statement about seizing a computer for examination?

Answer options

• A. Before removing a computer system from a scene for further analysis, it is important to document the system’s setup with photographs or diagrams.
• B. When taking a computer for examination, if the computer is off, it should remain off when it is removed.
• C. When seizing a computer that is running, it is acceptable for a fraud examiner to review the files contained on the machine prior to seizing it.
• D. When seizing a computer for examination, the seizing party should look around the area for passwords because many people leave passwords near their computers.

Correct answer: D

Explanation

Option D is the least accurate because seizing parties should not rely on finding passwords in the vicinity of the computer; they should follow proper protocols for evidence collection. The other options correctly describe appropriate actions for documenting and handling a computer during seizure. Options A, B, and C provide necessary steps to ensure the integrity of the evidence.