Comptia Forensics
13 community-sourced questions and answers. Free — no login.
___________You might want to refer to , this is the guidelines for evidence collection and archiving. It will give you a very good set of best practices for forensic data collection.
RFC 3227
most volatile least volatile
the most volatile data is the data that's inside of CPU register or a CPU cache. As we get less volatile, you can find temporary file systems or even files that are stored on disk. And some of the least volatile data you'll find is archival media, which is usually kept around for years
Whenever evidence is gathered there needs to be some way to maintain the integrity, and control all of this evidence. One very common way to do this is with This means that everyone who comes in contact with this evidence will be able to document that they touched this particular piece of information, and this will also help to avoid anyone else tampering with or modifying this evidence every piece of evidence is cataloged and labeled, and everything is sealed so that you can store it and make sure that no one is able to tamper with any part of that evidence.
chain of custody
legal technique that ensures that any data that may be associated with a particular legal proceeding is held and kept so that nothing is lost. This is usually created to prepare for some impending litigation, and it's usually a legal document provided to you this is usually provided as a hold notification, which tells you exactly what kind of data and how much should be preserved.
legal hold
If this is __________________________, there will be a separate repository created just for this data, and you're usually storing many different kinds of data. There might be personal files, there might be documents, or there might be email messages. And these legal holds may include ongoing preservation, so not only are you preserving the older data, you're also preserving any new data that's created.
electronically-stored information, or ESI
The contents of a storage drive may contain very valuable forensics data, so it's common to create a _________________ of that drive so that you're able to look at and manipulate a copy of that data without affecting the original drive itself. Commonly, we would create a system image on a bit-for-bit or byte-for-byte basis so you have an exact duplicate of everything that was on that drive. There are software imaging tools that are specialized to create this, and you could even use a bootable device to be able to copy that drive without affecting any of the drive that currently exists.
system image
allows you to read the data from the drive, but the hardware itself prevents you from writing anything onto that important forensic data
hardware write-blocker
The ___________ solution captures every packet going across the network and stores and archives that information to disk. From there, you can rebuild file transfers, email messages, and examine any specific data transfers that may have occurred across the network.
STREAM-TO-DISK
time is stored in local time
FAT
gmt
ntfs
128 bits displayed as hexadecimal chance of duplication is one 2^218
MD5 message digest 5
32 bit hash displayed as hexadecimal one in 2^32 chance to copy
crc hash
It's very common when capturing files, images, and other digital information to create an MD5 hash, and then it's very easy to then reconfirm that that MD5 hash is valid by creating the hash later on and
omparing those two values.
Looking for a different version?
CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").
Search all study materials