Computer Hacking Forensic Investigator (CHFI v10) — Question 293

A Computer Hacking Forensics Investigator (CHFI) has been asked to retrieve specific email files from a large RAID server after a data breach. Additionally, fragments of unallocated (deleted) data are also required. However, there is a severe constraint on time and resources. Considering these requirements, which type of data acquisition should the investigator primarily focus on?

Answer options

• A. Logical acquisition
• B. Bit-stream disk-to-disk
• C. Sparse acquisition
• D. Bit-stream disk-to-image-file

Correct answer: C

Explanation

Sparse acquisition is ideal in this scenario because it allows the investigator to focus on specific areas of interest, such as the email files and fragments of deleted data, while conserving time and resources. Logical acquisition would not retrieve deleted data, while bit-stream methods would require more time and space than available.