Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the
compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary
reason for you to recommend a disk imaging tool?
A.
A disk imaging tool would check for CRC32s for internal self-checking and validation and have MD5
checksum
B.
Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the
evidence file
C.
A simple DOS copy will not include deleted files, file slack and other information
D.
There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the
original will not match up sector for sector