Computer Hacking Forensic Investigator (CHFI v10) — Question 561

In a complex forensic investigation, a CHFI investigator has been given a 2 TB suspect drive from which they must acquire relevant data as quickly as possible. The investigator uses a verified and tested data acquisition tool to accomplish this task. Given that the suspect drive cannot be retained, and considering the mandatory requirements of the selected tool, which of the following steps is the most critical for the investigator to ensure a forensically sound acquisition?

Answer options

• A. Prioritizing and acquiring only those data that are of evidentiary value
• B. Testing lossless compression by applying an MD5, SHA-2, or SHA-3 hash on a file before and after compression
• C. Using Microsoft disk compressions tools like DriveSpace and DoubleSpace to exclude slack disk space between the files
• D. Compress files by using archiving tools like PKZip, WinZip, and WinRAR

Correct answer: A

Explanation

The correct answer is A because prioritizing evidentiary data ensures that the most relevant information is acquired quickly, which is critical in forensic investigations. Options B, C, and D involve processes that do not necessarily guarantee a forensically sound acquisition of critical data under time constraints.