nerdexam
Exams220-801Questions#39
CompTIA

220-801 · Question #39

220-801 Question #39: Real Exam Question with Answer & Explanation

The correct answer is B: Turn off the computer. Turning off the computer is NOT a best practice because it destroys volatile evidence. Data held in RAM-such as running processes, open network connections, encryption keys, and temporary files-is permanently lost when power is removed. This can compromise a forensic investigatio

Question

Which of the following is NOT a best practice when prohibited activity is suspected?

Options

  • ABack up the hard drive
  • BTurn off the computer
  • CDocument the incident
  • DIdentify the content

Explanation

Turning off the computer is NOT a best practice because it destroys volatile evidence. Data held in RAM-such as running processes, open network connections, encryption keys, and temporary files-is permanently lost when power is removed. This can compromise a forensic investigation. The correct practices are to document the incident (C), identify the content (D), and back up the hard drive (A) to preserve non-volatile evidence, while leaving the system running to allow forensic capture of volatile data by trained personnel.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 220-801 Practice