Computer Hacking Forensic Investigator (CHFI v10) — Question 603

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a `simple backup copy` of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a `simple backup copy` will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

Answer options

• A. Robust copy
• B. Incremental backup copy
• C. Bit-stream copy
• D. Full backup copy

Correct answer: C

Explanation

A Bit-stream copy is necessary because it creates an exact replica of the original hard drive, including deleted files and file fragments, making it suitable for forensic analysis. The other options, such as Robust copy, Incremental backup copy, and Full backup copy, do not guarantee the same level of detail or completeness in preserving evidence, as they may not capture all deleted data.