Computer Hacking Forensic Investigator (CHFI v10) — Question 439

A forensic investigator discovers an Android smartwatch at the crime scene during an investigation. The investigator realizes the smartwatch was potentially involved in the crime, but the device associated with it was not found at the scene. What is the most suitable initial step for the investigator to retrieve meaningful data from the smartwatch?

Answer options

• A. The investigator should first physically dismantle the smartwatch to access its internal storage
• B. The investigator should immediately turn off the smartwatch to prevent data manipulation
• C. The investigator should start by understanding the smartwatch’s basic framework, including its APIs
• D. The investigator should directly analyze data stored on the smartwatch using IoT forensics tools

Correct answer: C

Explanation

The correct answer is C because understanding the smartwatch’s framework and APIs is essential before attempting data retrieval. Options A and B are not suitable initial steps, as dismantling the device or turning it off could lead to data loss or damage. Option D, while useful, assumes prior knowledge of the device's structure, which is why starting with the framework is critical.