CCNA Evidence Acquisition and Duplication Questions

20 questions · Evidence Acquisition and Duplication · All types, answers revealed

1
MCQeasy

A forensic examiner needs to acquire a hard drive that is part of a RAID 5 array. The RAID controller is unavailable. What is the best approach to acquire the data?

A.Acquire each disk individually, then reconstruct the array using software
B.Acquire only one disk because RAID 5 can be reconstructed from a single disk
C.Use a hardware write blocker that supports RAID
D.Connect the RAID array to a similar controller and acquire as a single drive
AnswerA

This is the standard method when the controller is unavailable.

Why this answer

When the RAID controller is unavailable, the only reliable method to acquire the data is to image each physical disk individually using a forensic write blocker, then reconstruct the logical RAID 5 volume in a forensic software tool (e.g., FTK Imager, X-Ways Forensics, or EnCase). This preserves the original evidence on each disk and allows the examiner to rebuild the array by specifying the stripe size, parity rotation, and disk order, which is essential because RAID 5 distributes data and parity across all disks and can tolerate a single disk failure.

Exam trap

EC-Council often tests the misconception that a hardware RAID controller is required for forensic acquisition, or that a single disk from a RAID 5 array contains enough data to reconstruct the volume, when in fact individual disk imaging and software reconstruction is the only forensically sound approach when the controller is unavailable.

How to eliminate wrong answers

Option B is wrong because RAID 5 requires at least three disks and uses distributed parity; a single disk contains only stripes and parity blocks, not the complete data, so reconstruction from one disk is impossible. Option C is wrong because a hardware write blocker that supports RAID would still require the RAID controller to present the logical volume; without the controller, the write blocker cannot access the array as a single drive. Option D is wrong because connecting the disks to a similar controller may cause the controller to attempt an automatic rebuild or initialization, altering the evidence, and the controller's configuration (e.g., stripe size, disk order) may not match the original, leading to data corruption or loss.

2
MCQmedium

During a forensic acquisition, you notice that the target drive has bad sectors. What is the best approach to acquire the drive?

A.Use dd with a higher block size to skip bad sectors
B.Use ddrescue to recover as much data as possible
C.Use FTK Imager and ignore the errors
D.Perform a physical acquisition by removing platters
AnswerB

ddrescue is designed for failing drives.

Why this answer

B is correct because ddrescue is specifically designed to handle media with bad sectors by using a sophisticated read-retry algorithm that logs errors and attempts recovery from multiple angles, including reverse reads and splitting the drive into good and bad regions. Unlike dd, which will abort or produce corrupted output on encountering a bad sector, ddrescue maximizes data recovery while preserving a map of unrecoverable areas.

Exam trap

EC-Council often tests the misconception that dd can handle bad sectors by adjusting block size, but the trap is that dd lacks any error recovery algorithm and will simply fail or produce incomplete data, whereas ddrescue is the proper tool for forensic acquisition of damaged media.

How to eliminate wrong answers

Option A is wrong because increasing the block size in dd does not skip bad sectors; it only changes the read granularity, and a bad sector within a larger block will still cause an I/O error, potentially aborting the entire acquisition. Option C is wrong because FTK Imager, while capable of ignoring read errors, does not actively attempt to recover data from bad sectors; it simply skips them and logs the error, resulting in data loss without the advanced retry and mapping capabilities of ddrescue. Option D is wrong because physically removing platters is an extreme, destructive method reserved for drives with severe mechanical failure or when the drive cannot be powered on; it is not the best approach for a drive with only bad sectors, as it risks total data loss and is unnecessary when software tools like ddrescue can recover most data.

3
MCQhard

You are a forensic investigator responding to a data breach at a financial institution. The compromised server is a Windows Server 2019 running a custom trading application. The server is still powered on and connected to the production network. The incident response team has instructed you to acquire forensic evidence while minimizing downtime. The server has 2 TB of storage with 500 GB used. You have a forensic workstation with a write-blocker and an empty 2 TB external drive. The server's RAM is 64 GB. You need to acquire both volatile data (RAM) and a forensic image of the disk. However, the legal team requires a verified bit-for-bit copy with cryptographic hash verification. Additionally, the server's performance is critical; acquiring RAM via network is not feasible due to bandwidth constraints. Which of the following is the best course of action?

A.Shut down the server, remove the disk, connect it to a write-blocker, and acquire the disk image using FTK Imager; RAM is lost but disk acquisition is verified.
B.Use FTK Imager over the network to acquire RAM first, then use dd to image the disk to the external drive via write-blocker.
C.Run win32dd locally to capture RAM to the external drive, then use FTK Imager over the network to create a physical disk image with verification.
D.Use dd over netcat to acquire RAM and disk simultaneously, then compute hashes separately.
AnswerC

win32dd captures RAM locally quickly; FTK Imager over network can image the disk with hash verification.

Why this answer

Option C is correct because it prioritizes capturing volatile RAM first using win32dd (a memory acquisition tool) locally to the external drive, which preserves the most volatile evidence before any shutdown or network transfer. After RAM capture, FTK Imager over the network creates a verified physical disk image, satisfying the legal requirement for cryptographic hash verification while minimizing downtime. This approach avoids the risk of losing RAM data (as in shutdown) and avoids bandwidth constraints (as in network RAM acquisition).

Exam trap

EC-Council often tests the misconception that network-based RAM acquisition is always feasible or that shutting down the server is acceptable, but the trap here is that candidates overlook the bandwidth constraint and the critical need to preserve volatile data before disk imaging.

How to eliminate wrong answers

Option A is wrong because shutting down the server destroys volatile data (RAM), which is critical for investigating the breach, and the legal team requires a verified bit-for-bit copy, but RAM is lost entirely. Option B is wrong because acquiring RAM over the network is explicitly stated as not feasible due to bandwidth constraints, and using dd to image the disk to the external drive via write-blocker is not described correctly (dd is a Linux tool, not native to Windows Server 2019, and FTK Imager over the network for RAM would be slow and unreliable). Option D is wrong because using dd over netcat for RAM acquisition is not a standard Windows memory acquisition method, and simultaneous acquisition of RAM and disk is impractical without proper write-blocking and verification; netcat does not provide cryptographic hash verification natively.

4
MCQhard

You are a forensic investigator responding to a suspected data breach at a financial institution. The incident response team has isolated a Windows 10 workstation used by a former employee. The system is still powered on, and the login screen is displayed. Your task is to acquire forensic evidence in a defensible manner. The following actions are available: A. Immediately pull the power cord to perform a cold acquisition of the hard drive. B. Capture volatile data (RAM, network connections, running processes) using a trusted tool on a USB drive, then shut down normally and remove the hard drive for imaging. C. Boot the system from a forensic live CD and create a forensic image of the hard drive while the system is running. D. Use the built-in Windows backup to create a system image to an external drive. Which action is the most appropriate first step in this scenario?

A.Use the built-in Windows backup to create a system image to an external drive
B.Capture volatile data using a trusted tool on a USB drive, then shut down normally and remove the hard drive for imaging
C.Boot the system from a forensic live CD and create a forensic image of the hard drive while the system is running
D.Immediately pull the power cord to perform a cold acquisition of the hard drive
AnswerB

This preserves volatile evidence first, then allows forensic imaging of the disk.

Why this answer

Option B is correct because the system is still powered on with the login screen displayed, meaning volatile data (RAM, network connections, running processes) is present and will be lost if the system is powered off. Capturing this data first using a trusted forensic tool (e.g., FTK Imager or DumpIt) from a write-blocked USB drive preserves critical evidence such as encryption keys, active network connections, and malware in memory. Only after volatile data is secured should the system be shut down normally and the hard drive removed for forensic imaging, ensuring a defensible chain of custody.

Exam trap

EC-Council often tests the misconception that pulling the power cord is the safest method to preserve disk evidence, but the trap here is that it destroys volatile data and can cause filesystem corruption, making it inappropriate when the system is still powered on and volatile data is present.

How to eliminate wrong answers

Option A is wrong because using the built-in Windows backup to create a system image modifies the system (e.g., writes backup metadata, changes registry timestamps) and does not capture volatile data, violating forensic integrity principles. Option C is wrong because booting from a forensic live CD while the system is running can overwrite portions of RAM and disk (e.g., pagefile, unallocated space) and may trigger anti-forensic mechanisms, plus it does not capture the current volatile state before the system is altered. Option D is wrong because immediately pulling the power cord (cold acquisition) destroys all volatile data (RAM, network connections, running processes) that may contain critical evidence like encryption keys or active malware, and can cause filesystem corruption if the disk was in a write state.

5
MCQhard

You are a forensic examiner responding to a data breach incident at a medium-sized company. The incident response team has identified a Windows Server 2019 that may contain evidence of unauthorized access. The server is running and logged in with administrative privileges. The server has 32 GB of RAM, a 1 TB SSD (bitlocker encrypted, but unlocked), and is connected to the corporate network. The server is running several critical business applications, and the IT manager asks you to minimize downtime. You have a forensic workstation with write blockers, a hardware acquisition tool, and various software tools. What is the best course of action to acquire evidence while preserving integrity and minimizing downtime?

A.Use a network acquisition tool like Guymager to image the drive over the network
B.Dump RAM and capture network connections, then create a logical image of the SSD using FTK Imager while the server remains on
C.Immediately power off the server, remove the SSD, and image it using a hardware write blocker
D.Pull the power cord, remove the SSD, and use a forensic bridge to image the drive
AnswerB

This preserves volatile data and minimizes downtime.

Why this answer

Option B is correct because it prioritizes capturing volatile data (RAM and network connections) first, which would be lost on shutdown, then creates a logical image of the unlocked BitLocker SSD while the server remains online to minimize downtime. This approach preserves the integrity of volatile evidence and allows critical business applications to continue running, aligning with the IT manager's request to minimize downtime.

Exam trap

EC-Council often tests the principle of order of volatility and the need to capture volatile data before powering down, leading candidates to mistakenly choose a shutdown-based option (C or D) that destroys critical evidence.

How to eliminate wrong answers

Option A is wrong because Guymager is a Linux-based imaging tool typically used for local or direct disk imaging, not for network acquisition over a live network; network imaging over a corporate network introduces risk of data alteration and is slower, potentially compromising integrity and increasing downtime. Option C is wrong because immediately powering off the server destroys volatile evidence (RAM, network connections) and risks data loss from the unlocked BitLocker SSD due to improper shutdown, while also causing unnecessary downtime for critical applications. Option D is wrong because pulling the power cord causes an abrupt shutdown that corrupts volatile data and may damage the file system on the SSD, and imaging via a forensic bridge after removal is invasive and increases downtime without capturing volatile evidence.

6
MCQhard

You are imaging a suspect's hard drive using a write blocker and dd command. After imaging, you verify the hash of the original drive and the image file. The original drive hash is SHA1: A1B2C3D4E5..., and the image hash is SHA1: F6G7H8I9J0... What is the most likely cause of the mismatch?

A.The dd command used a different block size
B.The write blocker malfunctioned and allowed writes to the original drive
C.The dd command compressed the output
D.The image file was corrupted during transfer
AnswerB

If the original drive was modified during acquisition, the hashes will differ.

Why this answer

The hash mismatch indicates that the data on the original drive and the image file are not identical. A write blocker malfunction that allowed writes to the original drive during the imaging process would alter the source data after the initial hash was computed, causing the final hash of the original drive to differ from the hash of the image file taken at a different point in time. This is the most direct cause of a hash mismatch because the write blocker's primary purpose is to prevent any modification to the evidence.

Exam trap

EC-Council often tests the misconception that dd's block size or compression affects the hash, but the trap here is that candidates overlook the write blocker's role in preserving evidence integrity and instead focus on technical details of the dd command that do not alter the data content.

How to eliminate wrong answers

Option A is wrong because the dd command's block size affects read/write performance and the number of blocks, but it does not change the underlying data; the hash of the output will match the input regardless of block size as long as the entire drive is read. Option C is wrong because dd does not compress output by default; it performs a bit-for-bit copy, and even if compression were applied (e.g., via piping to gzip), the hash would be computed on the compressed file, not the raw image, but the question states the image file hash is compared, so compression would not cause a mismatch between the original drive hash and the image hash if the image is decompressed correctly. Option D is wrong because corruption during transfer would affect the image file's integrity, but the hash of the original drive would remain unchanged; the mismatch described is between the original drive hash and the image hash, and transfer corruption would only alter the image hash, not the original drive hash.

7
MCQmedium

The command used to acquire a disk image resulted in an I/O error. What is the most likely cause?

A.The source disk has bad sectors
B.The output file already exists and is being overwritten
C.The target directory does not have write permissions
D.The target drive is full
AnswerA

Bad sectors cause read errors.

Why this answer

When a disk imaging tool (e.g., dd, FTK Imager, EnCase) encounters an I/O error during acquisition, the most common cause is physical damage or degradation of the source media, specifically bad sectors. Bad sectors prevent the read head from reliably retrieving data, triggering an I/O error at the operating system or device driver level. This is distinct from logical errors like file system corruption, which typically produce different error messages.

Exam trap

The trap here is that candidates confuse an I/O error (a hardware-level read failure) with logical or permission-based errors, mistakenly attributing the error to the output destination rather than the source media.

How to eliminate wrong answers

Option B is wrong because overwriting an existing output file does not cause an I/O error; it may produce a warning or prompt for confirmation, but the read operation from the source disk proceeds normally. Option C is wrong because a lack of write permissions on the target directory results in a permission denied error, not an I/O error, and the acquisition tool would fail before attempting to read the source. Option D is wrong because a full target drive causes a 'disk full' or 'no space left on device' error, which is a write failure, not a read-related I/O error from the source disk.

8
MCQmedium

During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?

A.Nmap
B.Wireshark
C.Netcat
D.Tcpdump
AnswerB

Wireshark captures packets and can save them in standard formats.

Why this answer

Wireshark is the best tool for capturing live network traffic from a switch SPAN port in a forensically sound manner because it provides a robust graphical interface for real-time packet capture and analysis, supports full packet capture with timestamps, and can write captures directly to a pcapng file format that preserves packet integrity and metadata. Its ability to run in promiscuous mode ensures all traffic from the SPAN port is captured without altering the data, meeting forensic requirements for accuracy and completeness.

Exam trap

EC-Council often tests the misconception that Tcpdump is the only forensically sound command-line tool, but Wireshark is preferred for its GUI, advanced filtering, and pcapng support, which are critical for thorough forensic analysis and documentation.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for host discovery and port enumeration, not for capturing live traffic from a SPAN port; it does not support packet capture or promiscuous mode for forensic traffic acquisition. Option C is wrong because Netcat is a simple networking utility for reading/writing data across network connections, lacking the packet capture, filtering, and timestamping capabilities needed for forensically sound traffic acquisition from a SPAN port. Option D is wrong because while Tcpdump can capture packets, it is a command-line tool that lacks the graphical analysis features and advanced file format support (e.g., pcapng) of Wireshark, making it less suitable for comprehensive forensic capture and review, though it can be used in a pinch.

9
Matchingmedium

Match each network protocol to its well-known port number (TCP/UDP).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

21

23

161

389

3389

Why these pairings

These are standard port numbers assigned by IANA.

10
Multi-Selecteasy

Which TWO of the following are valid reasons for using a hardware write blocker during disk acquisition? (Choose two.)

Select 2 answers
A.It compresses the acquired data to save storage space
B.It increases the speed of data acquisition
C.It allows the source drive to be connected to a forensic workstation without risking modification
D.It prevents any accidental writes to the source drive
E.It creates a forensic image of the drive
AnswersC, D

The write blocker presents the drive as read-only to the host system.

Why this answer

A hardware write blocker is a device that sits between the source drive and the forensic workstation, intercepting and blocking any write commands from the host operating system. This ensures that the source drive is connected in a read-only state, preventing any accidental modifications to the evidence during acquisition. Option C correctly identifies this core function of preserving the integrity of the source drive.

Exam trap

EC-Council often tests the distinction between the function of a hardware write blocker (write prevention) and the function of forensic imaging software (image creation and compression), leading candidates to incorrectly attribute software features to the hardware device.

11
Multi-Selecthard

Which THREE of the following are acceptable best practices when acquiring evidence from a mobile device? (Choose three.)

Select 3 answers
A.Document the SIM card information
B.Capture a logical image of the device if it is unlocked
C.Power off the device immediately to preserve battery
D.Place the device in a Faraday bag to prevent remote wiping
E.Only perform a physical acquisition, as it is the only forensically sound method
AnswersA, B, D

SIM card contains subscriber information.

Why this answer

Option A is correct because documenting the SIM card information, such as the ICCID (Integrated Circuit Card Identifier) and IMSI (International Mobile Subscriber Identity), is a critical step in establishing chain of custody and preserving evidence that may link the device to a specific subscriber or network. This documentation must occur before any acquisition to ensure the SIM's data is not altered by subsequent imaging or isolation procedures.

Exam trap

EC-Council often tests the misconception that powering off a device is always safe for preservation, when in fact it can trigger encryption and destroy volatile evidence, and that physical acquisition is the only valid forensic method, ignoring the forensic validity of logical acquisitions on unlocked devices.

12
MCQhard

During a forensic investigation, an analyst needs to acquire the contents of a live server's RAM without altering the evidence. Which tool and technique should the analyst use to minimize the footprint on the system?

A.Install FTK Imager on the server and capture memory to a network share
B.Run a trusted version of win32dd.exe from a write-protected USB drive and capture memory to the USB
C.Use a remote acquisition tool over SSH to capture memory to a remote server
D.Use the built-in task manager to create a memory dump and save it locally
AnswerB

Running from a write-protected USB minimizes changes; capturing to USB avoids writing to the system drive.

Why this answer

Option B is correct because running a trusted version of win32dd.exe (now commonly part of the Belkasoft or DumpIt suite) from a write-protected USB drive ensures the tool binary is not modified by the compromised system and does not write any artifacts to the server's disk. Capturing memory directly to the USB drive minimizes the forensic footprint by avoiding writes to the server's local storage, preserving the integrity of the evidence.

Exam trap

EC-Council often tests the misconception that installing forensic tools on a live system is acceptable, but the trap here is that any installation or local write (even to a network share) alters the evidence, whereas a write-protected USB with a trusted binary avoids contamination.

How to eliminate wrong answers

Option A is wrong because installing FTK Imager on the live server writes installer files and registry keys to the system, altering the evidence and violating the principle of minimal footprint. Option C is wrong because using a remote acquisition tool over SSH requires installing or running an agent on the server, which modifies the system state, and network capture may introduce latency or packet loss, compromising the integrity of the memory dump. Option D is wrong because the built-in task manager's memory dump (e.g., 'Create dump file') writes a large file to the local disk, overwriting free space and potentially destroying volatile evidence, and the tool itself is part of the untrusted OS, which may be compromised.

13
MCQeasy

Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?

A.To decrypt the drive during acquisition
B.To prevent any writes to the original evidence drive
C.To compress the acquired image
D.To increase the speed of the acquisition
AnswerB

This ensures the integrity of the evidence.

Why this answer

A hardware write blocker is a device placed between the suspect drive and the forensic workstation that intercepts and blocks any write commands from the host operating system, ensuring that the original evidence drive remains unaltered. This is critical for maintaining the integrity of digital evidence, as any modification to the source drive could render it inadmissible in court. The primary purpose is therefore to prevent any writes to the original evidence drive, preserving its exact state for forensic analysis.

Exam trap

EC-Council often tests the misconception that a write blocker performs active functions like decryption or compression, when in reality it is a passive hardware filter that only enforces read-only access at the bus level.

How to eliminate wrong answers

Option A is wrong because a hardware write blocker does not perform decryption; decryption requires separate tools or keys and is not a function of write-blocking hardware. Option C is wrong because compression of the acquired image is handled by imaging software (e.g., FTK Imager, dd with gzip) after the write blocker has ensured read-only access, not by the write blocker itself. Option D is wrong because a write blocker does not increase acquisition speed; in fact, it may introduce a slight latency due to the hardware bridge, and speed is determined by the interface (e.g., SATA, USB) and the imaging tool, not the blocker.

14
Drag & Dropmedium

Drag and drop the steps to conduct a memory acquisition using DumpIt on a Windows system into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Memory acquisition requires booting from trusted media, running tool as admin, and verifying hash.

15
Multi-Selectmedium

Which TWO of the following are valid methods for acquiring volatile data from a live Windows system? (Choose two.)

Select 2 answers
A.Copying the Windows registry
B.Capturing active network connections
C.Imaging the hard drive
D.Extracting the Master File Table (MFT)
E.Dumping the contents of RAM
AnswersB, E

Network connections are volatile.

Why this answer

Option B is correct because capturing active network connections (e.g., using `netstat -anob` or `netstat -ano`) retrieves volatile data that is lost when the system is powered off. This data includes current TCP/UDP connections, listening ports, and associated process IDs, which are critical for identifying active network threats or unauthorized communications during incident response.

Exam trap

EC-Council often tests the distinction between volatile and non-volatile data, trapping candidates who confuse persistent artifacts (registry, MFT, hard drive images) with live system state (RAM, network connections) that disappears on power loss.

16
MCQhard

Based on the acquisition log, what can be concluded about the integrity of the acquired image?

A.The image is not forensically sound because the verification passed
B.The source and image have different data
C.The image is corrupted because only one hash algorithm was used
D.The image is an exact copy of the source
AnswerD

Matching hashes and verification confirm integrity.

Why this answer

The acquisition log shows that the hash values computed for the source drive and the acquired image match exactly. A matching hash (e.g., MD5 or SHA-1) verifies that the image is a bit-for-bit identical copy of the original evidence, confirming forensic soundness. Therefore, the image is an exact copy of the source, making option D correct.

Exam trap

EC-Council often tests the misconception that a passed verification indicates the image is not forensically sound, or that using only one hash algorithm implies corruption, when in fact a matching hash confirms integrity regardless of the number of algorithms used.

How to eliminate wrong answers

Option A is wrong because a verification that passes (hash match) confirms forensic soundness, not the opposite; a failed verification would indicate the image is not forensically sound. Option B is wrong because matching hash values prove the source and image have identical data, not different data. Option C is wrong because using a single hash algorithm (e.g., MD5 or SHA-1) is standard practice and does not indicate corruption; corruption would cause a hash mismatch, not be caused by the number of algorithms used.

17
MCQmedium

During a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?

A.LiME
B.DumpIt
C.FTK Imager
D.Belkasoft RAM Capturer
AnswerD

Belkasoft RAM Capturer is designed for Windows live RAM acquisition and is stable.

Why this answer

Belkasoft RAM Capturer is the most appropriate tool for acquiring RAM from a live Windows 10 system because it is designed specifically for live memory acquisition on Windows, uses a lightweight kernel-mode driver to read physical memory without causing system instability, and supports acquisition from 64-bit systems. Unlike other tools, it minimizes interaction with the target process list and avoids loading unnecessary user-mode components that could trigger crashes or alter the memory state.

Exam trap

EC-Council often tests the distinction between Linux and Windows memory acquisition tools, and the trap here is that candidates may choose LiME (a well-known memory tool) without noticing the question specifies a Windows 10 system, or they may select FTK Imager because of its familiarity, overlooking its instability for live RAM capture compared to a dedicated kernel-driver-based tool like Belkasoft RAM Capturer.

How to eliminate wrong answers

Option A is wrong because LiME (Linux Memory Extractor) is a tool for acquiring RAM from Linux systems, not Windows; it loads a kernel module via `insmod` and is incompatible with Windows 10. Option B is wrong because DumpIt, while capable of capturing Windows memory, is a user-mode tool that can cause system instability on live systems due to its reliance on the Windows API (e.g., `NtReadVirtualMemory`) and lack of a kernel driver, potentially leading to crashes or incomplete dumps on heavily loaded systems. Option C is wrong because FTK Imager is primarily a disk imaging and forensic acquisition tool; its memory capture feature is limited, often requires administrative privileges in a non-live environment, and does not use a dedicated kernel driver, making it less stable for live RAM acquisition on Windows 10.

18
Multi-Selectmedium

During acquisition of a live Linux server, the forensic examiner runs the following command: # dd if=/dev/sda of=/mnt/evidence/disk.dd conv=noerror,sync bs=4k. Which TWO statements are true about this acquisition?

Select 2 answers
A.The command preserves the partition table of the source disk.
B.The command automatically computes MD5 hash of the output file.
C.If a read error occurs, dd will pad the output with zeros and continue.
D.The block size (bs=4k) is appropriate for imaging a disk to reduce overhead.
E.The output file will be compressed to save storage space.
AnswersC, D

The conv=noerror,sync option causes dd to fill read errors with zeros and continue imaging.

Why this answer

Option C is correct because the `conv=noerror,sync` parameter tells `dd` to continue reading even if a read error occurs, and to pad the output block with zeros to maintain the correct offset and size. This ensures the image remains usable for analysis despite bad sectors on the source disk.

Exam trap

EC-Council often tests the misconception that `dd` automatically hashes or compresses output, when in fact it is a raw copy tool and those functions require separate commands or piping.

19
MCQeasy

Refer to the exhibit. An investigator runs fsstat and dstat on a captured image. What is the total capacity of the volume?

A.512 MB
B.1 GB
C.1 MB
D.4 GB
AnswerB

Total sectors * sector size = 2097152 * 512 = 1,073,741,824 bytes = 1 GB.

Why this answer

The `fsstat` and `dstat` commands from The Sleuth Kit (TSK) provide file system and disk statistics. In the exhibit, `dstat` shows the total disk size as 2097152 sectors, and each sector is 512 bytes. Multiplying 2097152 × 512 = 1073741824 bytes, which equals exactly 1 GB (1024 MB).

This is the total capacity of the volume.

Exam trap

EC-Council often tests the candidate's ability to multiply sectors by sector size correctly, and the trap here is that candidates may misread the sector count or forget that the default sector size is 512 bytes, leading them to pick 512 MB (confusing the sector size with total capacity) or 4 GB (multiplying by 2048 instead of 512).

How to eliminate wrong answers

Option A is wrong because 512 MB would correspond to 1048576 sectors (512 MB × 2048 sectors per MB), but the exhibit shows 2097152 sectors, which is double that. Option C is wrong because 1 MB is far too small; it would require only 2048 sectors, not the 2 million+ sectors shown. Option D is wrong because 4 GB would require 8388608 sectors (4 × 2097152), but the exhibit shows exactly 2097152 sectors, which is 1 GB.

20
MCQhard

You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?

A.Remove the drive and use a forensic bridge that supports SED
B.Power off the laptop and image the drive using a hardware write blocker
C.Acquire a logical image from the running operating system
D.Boot from a forensic live CD and image the drive
AnswerC

Since the system is logged in, the data is decrypted and accessible.

Why this answer

When a self-encrypting drive (SED) is powered on and logged in, the drive's hardware encryption key is already loaded and the data is accessible through the operating system. The best method to preserve the encrypted data in its decrypted state is to acquire a logical image from the running OS, which captures files and metadata without powering off the drive and losing the decryption context. Removing power or rebooting would cause the SED to lock, requiring the authentication key again and potentially altering the data state.

Exam trap

EC-Council often tests the misconception that a hardware write blocker or forensic bridge can always acquire a drive intact, but with SEDs, the critical factor is the encryption state—powering off or removing the drive locks it, making the data inaccessible regardless of write-blocking hardware.

How to eliminate wrong answers

Option A is wrong because removing the drive from a powered-on, logged-in SED will cause the drive to lose power and lock, requiring the authentication key to re-access; a forensic bridge that supports SED cannot bypass the hardware encryption without the key. Option B is wrong because powering off the laptop will lock the SED, and imaging with a hardware write blocker will only capture the encrypted ciphertext, not the decrypted data the examiner needs. Option D is wrong because booting from a forensic live CD will power-cycle the drive, causing the SED to lock and requiring the authentication key to decrypt, which is not available; the resulting image would be encrypted and unusable.

Ready to test yourself?

Try a timed practice session using only Evidence Acquisition and Duplication questions.