GIAC Certified Forensic Analyst (GCFA) — Question 26

Peter works as a Technical Representative in a CSIRT for SecureEnet Inc. His team is called to investigate the computer of an employee, who is suspected for classified data theft. Suspect's computer runs on Windows operating system. Peter wants to collect data and evidences for further analysis. He knows that in
Windows operating system, the data is searched in pre-defined steps for proper and efficient analysis. Which of the following is the correct order for searching data on a Windows based system?

Answer options

• A. Volatile data, file slack, registry, memory dumps, file system, system state backup, internet traces
• B. Volatile data, file slack, registry, system state backup, internet traces, file system, memory dumps
• C. Volatile data, file slack, internet traces, registry, memory dumps, system state backup, file system
• D. Volatile data, file slack, file system, registry, memory dumps, system state backup, internet traces

Correct answer: A

Explanation

The correct order for searching data on a Windows system starts with volatile data, which includes information that is lost when the system is powered off. Following this, file slack, registry, memory dumps, file system, system state backup, and finally internet traces are analyzed in that sequence to ensure thorough and effective investigation. The other options misplace or omit critical steps in the proper order of data collection.