Computer Hacking Forensic Investigator (CHFI v10) — Question 605

Preparing an image drive to copy files to is the first step in Linux forensics. For this purpose, what would the following command accomplish? dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync

Answer options

• A. Fill the disk with zeros
• B. Low-level format
• C. Fill the disk with 4096 zeros
• D. Copy files from the master disk to the slave disk on the secondary IDE controller

Correct answer: A

Explanation

The command uses dcfldd to write zeros to the disk at /dev/hda, effectively filling it with zeros, which is essential for creating a clean image in forensics. Option B is incorrect because this command does not perform a low-level format. Option C misrepresents the command since it fills the disk entirely with zeros rather than just 4096 zeros. Option D is incorrect as the command does not copy files between disks; it writes zeros directly to the specified disk.