Great News!
Many students who study using our platform have reported that a large number of the practice questions here are very similar to those that appear in real exams. View Courses
Many students who study using our platform have reported that a large number of the practice questions here are very similar to those that appear in real exams. View Courses
A forensic investigator started the process of gathering evidence on a laptop in response to an incident. The investigator took a snapshot of the hard drive, copied relevant log files, and then performed a memory dump. Which of the following steps in the process should have occurred FIRST?
The correct answer is: C. Collect the most volatile data.
In digital forensics, the order of volatility dictates the sequence of evidence collection, starting with the most volatile (easily lost or altered) data. The investigator should have collected the most volatile data first, such as system memory (RAM), network connections, and running processes, because this data is temporary and could be lost if the system is powered down or restarted.
The correct sequence for evidence collection is:
In this case, the investigator performed a memory dump after other actions, which violates the principle of collecting volatile data first.
Why the other options are incorrect:
Preserve secure storage:
Clone the disk:
Copy the relevant log files:
No Payment Cards Needed
Discover a range of courses designed to provide you with the knowledge and skills needed to excel in your chosen field.
You don’t need one month to study and pass your test.
With Prepsaret, it takes you a few days to grasp all the concepts needed to pass your exams
