What is a key limitation of using a DOS copy for evidence transfer?

• A. It will not include deleted files, file slack, and other information
• B. It logs every action automatically
• C. It verifies integrity with MD5
• D. It captures all metadata

Answer: (A)

In evidence handling, you want a transfer method that preserves every artifact that could be relevant, including data that isn’t visible as a live file. A DOS copy copies only currently allocated files and their contents, not data that has been deleted or is stored in slack space. It won’t capture deleted files, slack space, unallocated sectors, or other hidden artifacts, so important remnants on the disk can be missed. That’s why this approach is limited for evidentiary use.

Additionally, this method doesn’t automatically log actions, doesn’t perform integrity checks like MD5 by itself, and doesn’t guarantee comprehensive metadata capture, all of which are important for defensible evidence transfer.