You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?
This method uses a write blocker to preserve integrity, and EWF format provides compression and metadata for efficient analysis.
Why this answer
Option D is correct because it follows best practices for forensic acquisition: removing the hard drive and connecting it via a write blocker ensures that no data is altered during imaging. Using EWF (E01) format provides compression, metadata, and integrity checks (e.g., CRC32, MD5, SHA-1), which are essential for efficient analysis and evidence preservation. Storing the image locally on the forensic workstation avoids network latency and potential data corruption.
Exam trap
EC-Council often tests the misconception that using a forensic live CD is sufficient for write protection, but without a hardware write blocker, the OS may still write to the drive (e.g., via journaling or mount operations), compromising evidence integrity.
How to eliminate wrong answers
Option A is wrong because booting the server with a forensic live CD and using dd to an external USB drive risks modifying the system's volatile data and does not guarantee write-blocking at the hardware level; the live CD's kernel may still write to the internal drive. Option B is wrong because a system state backup is not a forensic image; it captures only system files and registry, not the entire partition, and it modifies the original drive during the backup process. Option C is wrong because using dd over a network connection introduces potential data integrity issues due to network latency, packet loss, or interception, and it is less efficient than local storage; the image should be stored on a trusted forensic workstation drive.