312-49 Question #320: Real Exam Question with Answer & Explanation

The correct answer is C: Create a sparse data copy of a folder or file. With four 30 TB SANs (120 TB total), performing a full bit-stream disk-to-disk or disk-to-image copy is impractical â€” it would require equivalent destination storage capacity and enormous time. A sparse data copy targets only specific folders or files relevant to the investigat

Submitted by diego_uy· Apr 18, 2026Disk Forensics

Question

You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data. What method would be most efficient for you to acquire digital evidence from this network?

Options

AMake a bit-stream disk-to-disk file
BMake a bit-stream disk-to-image file
CCreate a sparse data copy of a folder or file
DCreate a compressed copy of the file with DoubleSpace

Explanation

With four 30 TB SANs (120 TB total), performing a full bit-stream disk-to-disk or disk-to-image copy is impractical â€” it would require equivalent destination storage capacity and enormous time. A sparse data copy targets only specific folders or files relevant to the investigation, making it far more efficient for large-scale enterprise storage. Option D (DoubleSpace) is an obsolete MS-DOS compression utility, not a forensic acquisition method. Full bit-stream copies (A and B) are ideal for smaller media where a complete forensic duplicate is feasible.

Topics

#Digital evidence acquisition#Large-scale forensics#Sparse copying#Forensic efficiency

Community Discussion

No community discussion yet for this question.

Full 312-49 Practice Browse All 312-49 Questions