When collecting electronic evidence at a crime scene, the data collection should proceed from most volatile to least volatile. Which statement best describes this principle?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

When collecting electronic evidence at a crime scene, the data collection should proceed from most volatile to least volatile. Which statement best describes this principle?

Explanation:
The idea being tested is that volatile data should be collected before less volatile data because it can vanish quickly. RAM contents, running processes, open network connections, and other in-memory artifacts are extremely transient. If you delay, these details can disappear when the system is powered down, rebooted, or subjected to time passage, making it impossible to know the exact state of the machine at the moment of seizure. So, investigators perform live acquisitions to capture memory and volatile system state first (memory dumps, process lists, active connections, recently opened files, etc.), then proceed to acquire non-volatile evidence like disk images, logs stored on disks, and other persistent artifacts. This order preserves the most ephemeral information and helps maintain a reliable, defensible evidence record. Because volatile data is at risk of being lost, the statement that this principle is true is correct.

The idea being tested is that volatile data should be collected before less volatile data because it can vanish quickly. RAM contents, running processes, open network connections, and other in-memory artifacts are extremely transient. If you delay, these details can disappear when the system is powered down, rebooted, or subjected to time passage, making it impossible to know the exact state of the machine at the moment of seizure. So, investigators perform live acquisitions to capture memory and volatile system state first (memory dumps, process lists, active connections, recently opened files, etc.), then proceed to acquire non-volatile evidence like disk images, logs stored on disks, and other persistent artifacts. This order preserves the most ephemeral information and helps maintain a reliable, defensible evidence record. Because volatile data is at risk of being lost, the statement that this principle is true is correct.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy