Question 765 of 1,000
Computer Forensics LabeasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is to boot the laptop normally and let BitLocker unlock the drive using the TPM. This is correct because the TPM holds the BitLocker key in its secure storage, and since the laptop was properly shut down and handed over within an hour, the boot configuration remains unchanged, allowing automatic decryption without a recovery key or PIN. On the CHFI exam, this scenario tests your understanding of TPM-based BitLocker acquisition in forensic imaging, specifically how a TPM-only protector works during a live boot when the system state is preserved. A common trap is assuming you need the recovery key or a hardware brute-force tool, but the TPM’s sealed key is still accessible if the boot sequence is unaltered. Remember: if the system was shut down normally and handed over quickly, the TPM is your friend—boot it, don’t break it.

CHFI Computer Forensics Lab Practice Question

This CHFI practice question tests your understanding of computer forensics lab. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are a forensic examiner at a corporate security firm. You receive a laptop from the HR department that belonged to a terminated employee. The laptop was used for company business and is suspected of containing unauthorized file-sharing software. The laptop is running Windows 10 with BitLocker drive encryption enabled. Before shutdown, the employee was logged into the system. HR claims the laptop was shut down properly and then handed over within an hour. You are asked to acquire a forensic image of the hard drive for analysis. However, when you boot the laptop, you are prompted for the BitLocker recovery key. HR does not have the key, and the employee refuses to cooperate. The laptop also has a TPM chip. Which of the following is the most appropriate course of action to acquire the data?

Question 1easymultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Boot the laptop normally and let BitLocker unlock the drive using the TPM.

Option D is correct because the laptop was shut down properly and handed over within an hour, meaning the TPM (Trusted Platform Module) still holds the BitLocker key in its secure storage. When the system boots normally, BitLocker will automatically unlock the drive using the TPM without requiring a recovery key or user PIN, as long as the boot configuration has not changed. This is the standard behavior for a TPM-only protector configuration, which is common in corporate Windows 10 deployments.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Contact IT to obtain the BitLocker recovery key from Active Directory.

    Why it's wrong here

    Incorrect: This is a valid option if normal boot fails, but not the first step because the TPM should work.

  • Perform a cold boot attack to extract the BitLocker key from memory.

    Why it's wrong here

    Incorrect: This is a complex and invasive technique that should only be used if normal boot fails.

  • Boot from a Linux live USB and use tools to bypass BitLocker.

    Why it's wrong here

    Incorrect: Without the key, Linux cannot decrypt the drive.

  • Boot the laptop normally and let BitLocker unlock the drive using the TPM.

    Why this is correct

    Correct: Since the laptop was shut down properly and has TPM, normal boot should unlock the drive without the recovery key.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

EC-Council often tests the misconception that BitLocker always requires a recovery key or that a cold boot attack is a standard forensic technique, when in fact a properly shut-down system with TPM will unlock automatically, making the simplest boot the correct first step.

Detailed technical explanation

How to think about this question

BitLocker with TPM-only protection uses the TPM to validate the integrity of the boot components (BIOS/UEFI, boot loader, etc.) before releasing the encryption key. If the boot chain is unaltered, the TPM automatically unseals the Volume Master Key (VMK) to decrypt the drive. In a corporate environment, BitLocker recovery keys are often backed up to Active Directory, but the TPM-based unlock is the primary mechanism; the recovery key is only needed if the TPM fails, boot components change, or the drive is moved to another system.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CHFI practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CHFI practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CHFI question test?

Computer Forensics Lab — This question tests Computer Forensics Lab — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Boot the laptop normally and let BitLocker unlock the drive using the TPM. — Option D is correct because the laptop was shut down properly and handed over within an hour, meaning the TPM (Trusted Platform Module) still holds the BitLocker key in its secure storage. When the system boots normally, BitLocker will automatically unlock the drive using the TPM without requiring a recovery key or user PIN, as long as the boot configuration has not changed. This is the standard behavior for a TPM-only protector configuration, which is common in corporate Windows 10 deployments.

What should I do if I get this CHFI question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CHFI practice question is part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CHFI exam.