Computer Hacking Forensic Investigator (CHFI v10) — Question 434

In a computer forensics investigation, an investigator is dealing with a system that has been recently shut down. The data they need is of a non-volatile nature. Which type of data acquisition methodology should the investigator adopt in this scenario and why?

Answer options

• A. The investigator should not perform any data acquisition as the system is already powered off
• B. The investigator should use either live or dead data acquisition as both methods can collect non-volatile data from the system
• C. The investigator should use live data acquisition since it is intended to capture dynamic data from the computer's memory, caches, and registries
• D. The investigator should use dead data acquisition because it is designed to collect unaltered data from storage devices such as hard drives and USB thumb drives

Correct answer: D

Explanation

The correct answer is D because dead data acquisition is specifically designed to obtain unaltered data from storage devices after the system has been powered off, ensuring the integrity of the evidence. Option A is incorrect because it dismisses the need for acquisition despite the system being off. Option B is misleading as live acquisition is not suitable for a powered-off system. Option C is also incorrect since live data acquisition cannot be performed when the system is not running.