Computer Hacking Forensic Investigator (CHFI v10) — Question 564

Forensic Investigator Alex has to collect data from a suspect's large drive in a time-bound investigation. The court would allow him to retain the original drive. Considering these factors, what should be Alex's primary considerations to ensure a forensically sound data acquisition?

Answer options

• A. Using Microsoft disk compression tools and validating the data acquisition process
• B. Sanitizing the target media using the (German) VSITR method and acquiring volatile data
• C. Enabling write protection on the evidence media and prioritizing data acquisition based on evidentiary value
• D. Utilizing lossless compression tools and creating a bit-stream copy using a reliable acquisition tool

Correct answer: D

Explanation

The correct answer, D, emphasizes the importance of creating an exact copy of the original data using a reliable tool, which is crucial for maintaining the integrity of the evidence. Options A and B involve methods that may compromise the original data or do not directly ensure a forensically sound acquisition. Option C, while mentioning write protection, does not address the need for creating a bit-stream copy, which is essential in forensic investigations.