If a computer is on when you arrive at a scene, what does the Secret Service recommend you do?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Digital Forensics, Investigation, and Response Test. Study with multiple choice questions that include hints and explanations. Enhance your understanding of digital forensics principles and get ready for your exam!

Multiple Choice

If a computer is on when you arrive at a scene, what does the Secret Service recommend you do?

Explanation:
Preserving evidence integrity and a defensible chain of custody is the focus. When a computer is on upon arrival, the recommended action is to shut it down using the Secret Service procedure. Doing this in a documented, controlled way minimizes the chance of inadvertently altering data, running processes, or logs in a way that could compromise the investigation. It also sets up a clean state for later imaging with proper write-blocking and proven handling of the evidence. Turning off power abruptly or removing the hard drive outright risks corrupting data structures, overwriting or erasing artifacts, and undermining the integrity of the collection. Leaving the system running leaves volatile memory and live processes exposed, meaning important evidence could be lost or altered before you can capture it. Restarting in safe mode changes the boot state and can modify timestamps and other artifacts, reducing the defensibility of the image.

Preserving evidence integrity and a defensible chain of custody is the focus. When a computer is on upon arrival, the recommended action is to shut it down using the Secret Service procedure. Doing this in a documented, controlled way minimizes the chance of inadvertently altering data, running processes, or logs in a way that could compromise the investigation. It also sets up a clean state for later imaging with proper write-blocking and proven handling of the evidence.

Turning off power abruptly or removing the hard drive outright risks corrupting data structures, overwriting or erasing artifacts, and undermining the integrity of the collection. Leaving the system running leaves volatile memory and live processes exposed, meaning important evidence could be lost or altered before you can capture it. Restarting in safe mode changes the boot state and can modify timestamps and other artifacts, reducing the defensibility of the image.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy