Computer Hacking Forensic Investigator (CHFI v10) — Question 491

In a scenario where a potential security incident has occurred on a cloud-based service, and an investigator is brought in to examine the system, what type of data acquisition would likely be beneficial in this situation? Also, explain the volatile data type that might be most interesting to the investigator.

Answer options

• A. Live acquisition should be employed to gather dynamic data from the system, concentrating on open files and command history
• B. Dead acquisition should be used to collect static data from the system, focusing on slack space and swap files
• C. Live acquisition would be advantageous to acquire volatile data, emphasizing data stored on cloud services and unencrypted containers that arc open on the system
• D. Dead acquisition should be utilized to capture non-volatile data from the physical hard disk, focusing on unallocated drive space

Correct answer: C

Explanation

The correct answer is C because live acquisition allows the investigator to capture volatile data that is essential for understanding the current state of the system, particularly data from cloud services and unencrypted containers. Options A and B focus on different types of data and methods that are less relevant for real-time analysis, while D emphasizes non-volatile data which may not provide immediate insights into the incident.