Which action is NOT recommended when preserving evidence?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

Which action is NOT recommended when preserving evidence?

Explanation:
Preserving evidence means keeping the system and its data as close to the original state as possible, so any action that could change data, timestamps, or the state of files is avoided unless absolutely necessary and properly documented. Turning on the computer to extract Windows event viewer log files is not recommended because booting or powering up a device can modify volatile data, trigger startup processes, and create new log entries that weren’t there before. This can alter the evidence and complicate the reconstruction of what actually happened. Accessing logs after the fact on a live machine risks contaminating the data and undermining the integrity of the investigation. Documenting what you observe on the monitor and peripherals is a safe first step, as it records the current state without changing anything. Verifying the monitor’s power state helps you establish the baseline condition of the display, which is important for interpreting what you’ll or won’t be able to see or extract. Removing the power cable, when done with a proper, controlled procedure and where appropriate (for example, when the device is already powered down or when your policy allows it with safeguards), can be part of preserving evidence by preventing further activity. In contrast, turning the system on to grab logs introduces changes, so that action is avoided.

Preserving evidence means keeping the system and its data as close to the original state as possible, so any action that could change data, timestamps, or the state of files is avoided unless absolutely necessary and properly documented.

Turning on the computer to extract Windows event viewer log files is not recommended because booting or powering up a device can modify volatile data, trigger startup processes, and create new log entries that weren’t there before. This can alter the evidence and complicate the reconstruction of what actually happened. Accessing logs after the fact on a live machine risks contaminating the data and undermining the integrity of the investigation.

Documenting what you observe on the monitor and peripherals is a safe first step, as it records the current state without changing anything. Verifying the monitor’s power state helps you establish the baseline condition of the display, which is important for interpreting what you’ll or won’t be able to see or extract. Removing the power cable, when done with a proper, controlled procedure and where appropriate (for example, when the device is already powered down or when your policy allows it with safeguards), can be part of preserving evidence by preventing further activity. In contrast, turning the system on to grab logs introduces changes, so that action is avoided.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy