Computer Hacking Forensic Investigator (CHFI v10) — Question 226

A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

Answer options

• A. Searching for evidence themselves would not have any ill effects
• B. Searching could possibly crash the machine or device
• C. Searching creates cache files, which would hinder the investigation
• D. Searching can change date/time stamps

Correct answer: D

Explanation

The correct answer is D because conducting their own search can inadvertently modify the original date and time stamps of files, which are crucial for a forensic investigation. Options A and B are incorrect because there can be significant negative consequences, including the risk of crashing systems. Option C is also wrong as while cache files may be created, the alteration of timestamps poses a more critical threat to the integrity of the investigation.