GIAC Certified Enterprise Defender (GCED) — Question 1

At the start of an investigation on a Windows system, the lead handler executes the following commands after inserting a USB drive. What is the purpose of this command? C:\ >dir / s / a dhsra d: \ > a: \ IRCD.txt

Answer options

• A. To create a file on the USB drive that contains a listing of the C: drive
• B. To show hidden and archived files on the C: drive and copy them to the USB drive
• C. To copy a forensic image of the local C: drive onto the USB drive
• D. To compare a list of known good hashes on the USB drive to files on the local C: drive

Correct answer: C

Explanation

The correct answer is C because the command structure indicates the creation of a forensic image of the local drive. Option A is incorrect as it suggests just listing files rather than creating an image, while B misinterprets the intent of copying files instead of creating an image. Option D is irrelevant since the commands do not involve hash comparisons.