- A
Contact IT to obtain the BitLocker recovery key from Active Directory.
Why wrong: Incorrect: This is a valid option if normal boot fails, but not the first step because the TPM should work.
- B
Perform a cold boot attack to extract the BitLocker key from memory.
Why wrong: Incorrect: This is a complex and invasive technique that should only be used if normal boot fails.
- C
Boot from a Linux live USB and use tools to bypass BitLocker.
Why wrong: Incorrect: Without the key, Linux cannot decrypt the drive.
- D
Boot the laptop normally and let BitLocker unlock the drive using the TPM.
Correct: Since the laptop was shut down properly and has TPM, normal boot should unlock the drive without the recovery key.
Quick Answer
The answer is to boot the laptop normally and let BitLocker unlock the drive using the TPM. This is correct because the TPM holds the BitLocker key in its secure storage, and since the laptop was properly shut down and handed over within an hour, the boot configuration remains unchanged, allowing automatic decryption without a recovery key or PIN. On the CHFI exam, this scenario tests your understanding of TPM-based BitLocker acquisition in forensic imaging, specifically how a TPM-only protector works during a live boot when the system state is preserved. A common trap is assuming you need the recovery key or a hardware brute-force tool, but the TPM’s sealed key is still accessible if the boot sequence is unaltered. Remember: if the system was shut down normally and handed over quickly, the TPM is your friend—boot it, don’t break it.
CHFI Computer Forensics Lab Practice Question
This CHFI practice question tests your understanding of computer forensics lab. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
You are a forensic examiner at a corporate security firm. You receive a laptop from the HR department that belonged to a terminated employee. The laptop was used for company business and is suspected of containing unauthorized file-sharing software. The laptop is running Windows 10 with BitLocker drive encryption enabled. Before shutdown, the employee was logged into the system. HR claims the laptop was shut down properly and then handed over within an hour. You are asked to acquire a forensic image of the hard drive for analysis. However, when you boot the laptop, you are prompted for the BitLocker recovery key. HR does not have the key, and the employee refuses to cooperate. The laptop also has a TPM chip. Which of the following is the most appropriate course of action to acquire the data?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Boot the laptop normally and let BitLocker unlock the drive using the TPM.
Option D is correct because the laptop was shut down properly and handed over within an hour, meaning the TPM (Trusted Platform Module) still holds the BitLocker key in its secure storage. When the system boots normally, BitLocker will automatically unlock the drive using the TPM without requiring a recovery key or user PIN, as long as the boot configuration has not changed. This is the standard behavior for a TPM-only protector configuration, which is common in corporate Windows 10 deployments.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Contact IT to obtain the BitLocker recovery key from Active Directory.
Why it's wrong here
Incorrect: This is a valid option if normal boot fails, but not the first step because the TPM should work.
- ✗
Perform a cold boot attack to extract the BitLocker key from memory.
Why it's wrong here
Incorrect: This is a complex and invasive technique that should only be used if normal boot fails.
- ✗
Boot from a Linux live USB and use tools to bypass BitLocker.
Why it's wrong here
Incorrect: Without the key, Linux cannot decrypt the drive.
- ✓
Boot the laptop normally and let BitLocker unlock the drive using the TPM.
Why this is correct
Correct: Since the laptop was shut down properly and has TPM, normal boot should unlock the drive without the recovery key.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
EC-Council often tests the misconception that BitLocker always requires a recovery key or that a cold boot attack is a standard forensic technique, when in fact a properly shut-down system with TPM will unlock automatically, making the simplest boot the correct first step.
Detailed technical explanation
How to think about this question
BitLocker with TPM-only protection uses the TPM to validate the integrity of the boot components (BIOS/UEFI, boot loader, etc.) before releasing the encryption key. If the boot chain is unaltered, the TPM automatically unseals the Volume Master Key (VMK) to decrypt the drive. In a corporate environment, BitLocker recovery keys are often backed up to Active Directory, but the TPM-based unlock is the primary mechanism; the recovery key is only needed if the TPM fails, boot components change, or the drive is moved to another system.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Computer Forensics Lab — study guide chapter
Learn the concepts, then practise the questions
- →
Computer Forensics Lab practice questions
Targeted practice on this topic area only
- →
All CHFI questions
1,000 questions across all exam domains
- →
Computer Hacking Forensic Investigator CHFI study guide
Full concept coverage aligned to exam objectives
- →
CHFI practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related CHFI practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Computer Forensics Investigation Process practice questions
Practise CHFI questions linked to Computer Forensics Investigation Process.
Computer Forensics Fundamentals and Process practice questions
Practise CHFI questions linked to Computer Forensics Fundamentals and Process.
Storage Forensics and File System Analysis practice questions
Practise CHFI questions linked to Storage Forensics and File System Analysis.
Incident Response and First Responder Skills practice questions
Practise CHFI questions linked to Incident Response and First Responder Skills.
Computer Forensics Lab practice questions
Practise CHFI questions linked to Computer Forensics Lab.
Evidence Acquisition and Duplication practice questions
Practise CHFI questions linked to Evidence Acquisition and Duplication.
OS and Network Forensics practice questions
Practise CHFI questions linked to OS and Network Forensics.
OS and File System Forensics practice questions
Practise CHFI questions linked to OS and File System Forensics.
Application, Email and Cloud Forensics practice questions
Practise CHFI questions linked to Application, Email and Cloud Forensics.
Mobile and Malware Forensics practice questions
Practise CHFI questions linked to Mobile and Malware Forensics.
Network and Cloud Forensics practice questions
Practise CHFI questions linked to Network and Cloud Forensics.
Database and Application Forensics practice questions
Practise CHFI questions linked to Database and Application Forensics.
Practice this exam
Start a free CHFI practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this CHFI question test?
Computer Forensics Lab — This question tests Computer Forensics Lab — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Boot the laptop normally and let BitLocker unlock the drive using the TPM. — Option D is correct because the laptop was shut down properly and handed over within an hour, meaning the TPM (Trusted Platform Module) still holds the BitLocker key in its secure storage. When the system boots normally, BitLocker will automatically unlock the drive using the TPM without requiring a recovery key or user PIN, as long as the boot configuration has not changed. This is the standard behavior for a TPM-only protector configuration, which is common in corporate Windows 10 deployments.
What should I do if I get this CHFI question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 30, 2026
This CHFI practice question is part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CHFI exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.