Computer Hacking Forensic Investigator (CHFI v10) — Question 503

What method of copying should always be performed first before carrying out an investigation?

Answer options

• A. Parity-bit copy
• B. Bit-stream copy
• C. MS-DOS disc copy
• D. System level copy

Correct answer: B

Explanation

The bit-stream copy is the most suitable method to begin with, as it creates an exact replica of the original data, preserving all information, including deleted files and unallocated space. The other methods, like parity-bit copy and MS-DOS disc copy, do not ensure a complete and forensically sound duplicate, making them less appropriate for initial investigations.