Certified Information Security Manager (CISM) — Question 1247

A forensic examination of a PC is required, but the PC has been switched off. Which of the following should be done FIRST?

Answer options

• A. Perform a backup of the computer using the network.
• B. Perform a bit-by-bit backup of the hard disk using a write-blocking device.
• C. Reboot the system using third-party forensic software in the CD-ROM drive.
• D. Perform a backup of the hard drive using backup utilities.

Correct answer: B

Explanation

The correct answer is B because performing a bit-by-bit backup with a write-blocking device ensures that the original data on the hard disk remains unaltered, which is crucial for forensic integrity. The other options either risk altering the data (like rebooting the system) or do not specifically ensure a complete and forensically sound acquisition of data.