Computer Hacking Forensic Investigator (CHFI v10) — Question 429

An organization has suffered a significant data breach and called in a Computer Hacking Forensics Investigator (CHFI) to gather evidence. The investigator has decided to use the dead acquisition technique to gather nonvolatile data from the compromised system. Which of the following would NOT typically be acquired during this type of forensic data acquisition process?

Answer options

• A. Web browser cache
• B. Unallocated drive space
• C. Active network connections
• D. Boot sectors

Correct answer: C

Explanation

The correct answer is C, as active network connections are not captured during a dead acquisition process, which involves analyzing a powered-off system. In contrast, items such as web browser cache, unallocated drive space, and boot sectors are typically included in nonvolatile data collection, as they may contain valuable evidence.