Computer Hacking Forensic Investigator (CHFI v10) — Question 448

A cybersecurity forensics investigator is tasked with acquiring data from a suspect's drive for a civil litigation case. The suspect drive is 1TB, and due to time constraints, the investigator decides to prioritize and acquire only data of evidentiary value. The original drive cannot be retained. In this context, which of the following steps should the investigator prioritize?

Answer options

• A. Opt for disk-to-image copying for the large suspect drive
• B. Execute logical acquisition considering the one-time opportunity to capture data
• C. Utilize DriveSpace or DoubleSpace to reduce the data size
• D. Use a reliable data acquisition tool to make a copy of the original drive

Correct answer: B

Explanation

The correct answer is B because executing a logical acquisition allows the investigator to prioritize and capture only the relevant data needed for the case, considering the time constraints. Options A and D suggest methods that may result in a complete copy of the drive, which is not feasible in this situation, while C is irrelevant as it does not directly contribute to the evidentiary collection process.