Certified Incident Handler (ECIH) — Question 32
Ruben, a crime investigator, wants to retrieve all the deleted files and folders in the suspected media without affecting the original files. For this purpose, he uses a method that involves the creation of a cloned copy of the entire media and prevents the contamination of the original media.
Identify the method utilized by Ruben in the above scenario.
Answer options
- A. Sparse acquisition
- B. Bit-stream imaging
- C. Drive decryption
- D. Logical acquisition
Correct answer: B
Explanation
The correct answer is B, Bit-stream imaging, as this method creates an exact clone of the media, allowing for data recovery without modifying the original. Options A, C, and D do not provide the same level of data preservation; Sparse acquisition may miss some data, Drive decryption does not focus on recovering deleted files, and Logical acquisition only retrieves visible files, excluding deleted ones.