CompTIA CASP+ (CAS-004) — Question 547

A forensic investigator started the process of gathering evidence on a laptop in response to an incident. The investigator took a snapshot of the hard drive, copied relevant log files, and then performed a memory dump. Which of the following steps in the process should have occurred FIRST?

Answer options

• A. Preserve secure storage.
• B. Clone the disk.
• C. Collect the most volatile data.
• D. Copy the relevant log files.

Correct answer: C

Explanation

The correct answer, C, is right because collecting the most volatile data, such as RAM, is crucial to preserve evidence that may be lost quickly. Options A, B, and D, while important, should follow after ensuring the most transient data is collected, as it can change or disappear rapidly.