Question 2
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system.
What would be the primary reason for you to recommend a disk imaging tool?
A disk imaging tool would check for CRC32s for internal self-checking and validation and have MD5 checksum
Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file
A simple DOS copy will not include deleted files, file slack and other information
There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector
Correct answer: C