Computer Hacking Forensic Investigator (CHFI v10) — Question 59

Which is a standard procedure to perform during all computer forensics investigations?

Answer options

• A. with the hard drive removed from the suspect PC, check the date and time in the system's CMOS
• B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table
• C. with the hard drive removed from the suspect PC, check the date and time in the system's RAM
• D. with the hard drive in the suspect PC, check the date and time in the system's CMOS

Correct answer: D

Explanation

The correct answer is D because checking the date and time in the system's CMOS while the hard drive is in the suspect PC ensures that the information is accurate and relevant to the current investigation. Options A and C are incorrect as they involve removing the hard drive, which may compromise the integrity of the data, and option B is incorrect because the File Allocation Table does not hold system date and time information.