ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-49v10 All Questions

View all questions & answers for the 312-49v10 exam
Go to Exam

Exam 312-49v10 topic 1 question 232 discussion

Actual exam question from ECCouncil's 312-49v10
Question #: 232
Topic #: 1
[All 312-49v10 Questions]

Why should you never power on a computer that you need to acquire digital evidence from?

  • A. When the computer boots up, files are written to the computer rendering the data nclean
  • B. When the computer boots up, the system cache is cleared which could destroy evidence
  • C. When the computer boots up, data in the memory buffer is cleared which could destroy evidence
  • D. Powering on a computer has no affect when needing to acquire digital evidence from it
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Manzer at March 11, 2023, 3:02 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Manzer
Highly Voted 9 months, 2 weeks ago
Selected Answer: C
When a computer is powered on, data in the memory buffer is cleared which could potentially destroy evidence. The memory buffer, also known as RAM (Random Access Memory), is where a computer temporarily stores data and programs that are currently running. If the computer is shut down improperly, or if the power is cut off, the data in the memory buffer may be lost or corrupted. This is why it is important to avoid powering on a computer that you need to acquire digital evidence from. Instead, you should use specialized software and hardware tools to extract the data from the computer's hard drive in a forensically sound manner, without altering or destroying any of the data.
upvoted 5 times
[Removed]
2 months, 1 week ago
Umm, this is wrong? You said it yourself, memory buffer is located in RAM, but any data in RAM would be lost after the computer shuts down. The best answer here is A. Its has been repeated many many times in all digital forensics material in Sec+, CISSP, etc., that booting a computer up may change the checksum of the entire disk, especially windows. Different checksum means the data is unclean.
upvoted 2 times
...
...
044f354
Most Recent 1 week, 4 days ago
Selected Answer: A
This is a forensics course. Your mindset should always be forensics first. Preserving the system in its current state is crucial for forensic integrity. A. Correct: Booting a computer modifies the system (e.g., updating logs, temp files), potentially overwriting critical evidence. B. Incorrect: The system cache is not cleared during boot; this option misrepresents the behavior of caches. C. Incorrect: Data in memory buffers is already volatile and lost when the computer is powered off, not during boot-up. D. Incorrect: Powering on a computer does affect digital evidence integrity by altering data on the disk.
upvoted 1 times
...
lol105
1 month ago
Selected Answer: A
A is correct due to that the computer ram when it was down is already free
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago