312-49 · Question #202
312-49 Question #202: Real Exam Question with Answer & Explanation
The correct answer is D: Searching can change date/time stamps. When untrained personnel access and search through a potentially compromised system, they inadvertently modify file metadata — most critically, timestamps such as last accessed, last modified, and created dates. These timestamps are vital forensic artifacts that establish timel
Question
A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?
Options
- ASearching for evidence themselves would not have any ill effects
- BSearching could possibly crash the machine or device
- CSearching creates cache files, which would hinder the investigation
- DSearching can change date/time stamps
Explanation
When untrained personnel access and search through a potentially compromised system, they inadvertently modify file metadata — most critically, timestamps such as last accessed, last modified, and created dates. These timestamps are vital forensic artifacts that establish timelines of events. Altering them, even unintentionally, can destroy critical evidence and render it inadmissible in court. Forensic investigators use write-blockers and forensic imaging tools precisely to prevent this kind of contamination. While options B and C have some partial truth in specific scenarios, the most universally significant and legally consequential risk is timestamp alteration (option D).
Topics
Community Discussion
No community discussion yet for this question.