CHFI Evidence Acquisition and Duplication • Complete Question Bank
Complete CHFI Evidence Acquisition and Duplication question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. [root@forensics ~]# dc3dd if=/dev/sda of=/evidence/sda.img hash=sha256 log=/evidence/log.txt Output: Fatal error: Input/output error while reading /dev/sda
Refer to the exhibit. Forensic Acquisition Log: Source: /dev/sdb Image: /mnt/evidence/case001.dd Hash (MD5): Source= a1b2c3d4e5f6... Image= a1b2c3d4e5f6... Hash (SHA1): Source= 1234567890ab... Image= 1234567890ab... Verification: Passed
You are a forensic investigator responding to a suspected data breach at a financial institution. The incident response team has isolated a Windows 10 workstation used by a former employee. The system is still powered on, and the login screen is displayed. Your task is to acquire forensic evidence in a defensible manner. The following actions are available:
A. Immediately pull the power cord to perform a cold acquisition of the hard drive. B. Capture volatile data (RAM, network connections, running processes) using a trusted tool on a USB drive, then shut down normally and remove the hard drive for imaging. C. Boot the system from a forensic live CD and create a forensic image of the hard drive while the system is running. D. Use the built-in Windows backup to create a system image to an external drive.
Which action is the most appropriate first step in this scenario?
Refer to the exhibit. # fsstat /dev/sdb1 FILE SYSTEM INFORMATION -------------------------------------------- File System Type: NTFS Volume Serial Number: 1234ABCD5678EF90 Volume Name: Evidence Number of MFT Records: 1024 MFT Record Size: 1024 bytes # dstat /dev/sdb1 DETAILS OF DISK STATISTICS -------------------------------------------- Total Sectors: 2097152 Sector Size: 512 bytes Cluster Size: 4096 bytes Free Clusters: 524288
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
21
23
161
389
3389