Network Security Administrator (NSA, legacy) — Question 1

You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data.
What method would be most efficient for you to acquire digital evidence from this network?

Answer options

• A. create a compressed copy of the file with DoubleSpace
• B. create a sparse data copy of a folder or file
• C. make a bit-stream disk-to-image file
• D. make a bit-stream disk-to-disk file

Correct answer: C

Explanation

The correct answer, C, is efficient because a bit-stream disk-to-image file captures an exact replica of the data, including all metadata, without altering the original evidence. The other options either compress data, which may lose some information, or are less efficient for large volumes of data, making them unsuitable for forensic investigations.