Computer Hacking Forensic Investigator (CHFI) — Question 82

Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?

Answer options

• A. A disk imaging tool would check for CRC32s for internal self-checking and validation and have MD5 checksum
• B. Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file
• C. A simple DOS copy will not include deleted files, file slack and other information
• D. There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector

Correct answer: C

Explanation

The correct answer is C because a simple DOS copy fails to capture deleted files, file slack, and other crucial information that may be vital for an investigation. Options A and B describe features of disk imaging but do not address why a DOS copy is inadequate. Option D incorrectly claims that imaging tools are not useful due to proprietary formats, which is false since they can provide complete and forensically sound images of the original data.