Exam 312-49v10 topic 1 question 717 discussion

Answer: C Explanation: (A) ❌ Logical acquisition retrieves only active files, missing unallocated (deleted) data. (B) ❌ Bit-stream disk-to-disk is comprehensive but time/resource-intensive. (C) ✅ Sparse acquisition targets specific files and unallocated fragments, optimizing time/resources. (D) ❌ Bit-stream disk-to-image-file is thorough but inefficient under severe constraints. ----- If you agree, please UPVOTE. Each time you upvote someone with a yellow "SELECTED ANSWER: " banner (like me) your vote is added to the Community Vote Distribution, which helps the community by crowdsourcing correct answers.

While logical acquisition is faster and can efficiently retrieve specific files, it does not capture deleted data. Given that the CHFI must retrieve both specific email files and fragments of unallocated data, bit-stream disk-to-image-file would be the more appropriate choice despite its higher time and resource requirements. This method ensures that all relevant data, including deleted fragments, is available for analysis

so the answer is A logical acquisition

Logical Acquisition is often recommended when the focus is on retrieving specific files or types of data, especially under time constraints. Sparse Acquisition is useful in some scenarios but may not be ideal for comprehensive retrieval of specific files and unallocated data, as it is more selective. Thus, Logical acquisition aligns with the CHFI textbook’s guidance on effectively addressing the need to quickly retrieve specific files and data fragments in a constrained environment.

Sparse acquisition is similar to logical acquisition. Through this method, investigators can collect fragments of unallocated (deleted) data. This method is useful when it is not necessary to inspect the entire drive.

C < https://info-savvy.com/data-acquisition-methods/#:~:text=2.-,Sparse%20Acquisition,to%20inspect%20the%20entire%20drive.