Computer Hacking Forensic Investigator (CHFI) — Question 129

Which is a standard procedure to perform during all computer forensics investigations?

Answer options

• A. with the hard drive removed from the suspect PC, check the date and time in the system's CMOS
• B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table
• C. with the hard drive removed from the suspect PC, check the date and time in the system's RAM
• D. with the hard drive in the suspect PC, check the date and time in the system's CMOS

Correct answer: A

Explanation

The correct answer is A because checking the date and time in the CMOS after removing the hard drive ensures that no data is altered or tampered with during the investigation process. Options B and D are incorrect as they involve checking the date and time while the hard drive is still in the system, which can compromise the integrity of the evidence. Option C is also incorrect because checking the system's RAM does not provide reliable information about the system's date and time settings.