CompTIA CASP+ (CAS-004) — Question 505
A forensics investigator is collecting evidence from desktop computers that were possibly used for criminal activity. Which of the following tools should be used first when reviewing the computers?
Answer options
- A. ExifTool
- B. Foremost
- C. Volatility
- D. The Sleuth Kit
Correct answer: D
Explanation
The Sleuth Kit is designed for file system analysis and can provide a comprehensive overview of the data on a computer, making it ideal for initial investigations. ExifTool, Foremost, and Volatility serve specific functions such as metadata extraction, file recovery, and memory analysis, respectively, which are useful later in the investigation process but not as the first step.