Q: 10
[Introduction to Incident Handling and Response]
Farheen is an incident responder at reputed IT Firm based in Florid
a. Farheen was asked to investigate a recent cybercrime faced by the organization. As part of this
process, she collected static data from a victim system. She used DD tool command to perform
forensic duplication to obtain an NTFS image of the original disk. She created a sector-by-sector
mirror imaging of the disk and saved the output image file as image.dd.
Identify the static data collection process step performed by Farheen while collecting static data.
Options
Discussion
C . The DD tool imaging is a textbook case of system preservation since it’s all about making a forensic copy to keep the original untouched. D always tempts people when they see 'physical', but that’s more for courtroom stuff, not actual collection. If I’m off, let me know.
Its C here
Ugh, EC-Council always loves their odd terminology for standard forensic steps. C
I think C fits here.
Option A
Pretty sure C, saw a similar question in exam reports. Imaging with dd is all about system preservation, not presentation. Agree?
D makes sense to me since creating an image can be seen as a physical presentation of data, not just preservation. I think comparison or admin stuff don't fit here. Not totally sure, but D looks like a possible pick.
I don’t think D is right here. Making a forensic dd image is all about system preservation, so C fits best. D is more about actually presenting evidence in a legal setting, which comes after. Trap for anyone reading too fast! Open to corrections if I missed something.
C
D imo. People keep picking C but with the wording about collecting and sector-by-sector copies, feels like it could trip you since D almost sounds right for chain of custody steps. Open to pushback if I'm missing something.
Be respectful. No spam.
