Which is a standard procedure to perform during all computer forensics investigations?
Which is a standard procedure to perform during all computer forensics investigations?
During computer forensics investigations, it's important to check the date and time in the system's CMOS while the hard drive is still in the suspect PC. This helps to ensure that the system's time settings, which can be critical for establishing timelines and corroborating evidence, are accurate and have not been tampered with. Accessing the CMOS date and time without removing the hard drive helps preserve the integrity of the system.
The evidence (the hard disk) will be tampered if you cannot boot into the CMOS. Remove a hard disk first to prevent that happen.
Can someone explain why this wouldn't be D? As system time/date is considered volatile data, why would one remove a hard disk first before obtaining it?
Technically, CMOS is powered by a small battery. "Nonvolatile BIOS memory refers to a small memory on PC motherboards that is used to store BIOS settings. It is traditionally called CMOS RAM because it uses a volatile, low-power complementary metal-oxide-semiconductor (CMOS) SRAM (such as the Motorola MC146818 or similar) powered by a small "CMOS" battery when system and standby power is off."
The correct answer is D
Refer to Question #47 Topic 1 If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.