Certified Incident Handler (CIH) Practice Ecam

What step should a first responder not follow regarding open and startup files at a crime scene?

• A. Open any old documents from the startup folder
• B. Do not open any recently created documents from the startup or system32 folder in Windows
• C. Review previously accessed files before gathering evidence
• D. Log the filenames of all open documents

The correct answer is: Do not open any recently created documents from the startup or system32 folder in Windows

The appropriate approach for first responders at a crime scene emphasizes the integrity of digital evidence. One critical step they should avoid is opening recently created documents from the startup or system32 folders in Windows. This is because such actions can alter timestamps or metadata associated with the files, potentially compromising the evidence. The startup folder often contains programs that run at system boot, while the system32 folder is integral to Windows operation; accessing files there could unintentionally modify crucial data. By refraining from opening recently created documents in these significant directories, responders preserve the original state of the files, which is vital for forensic analysis. This ensures that the evidence remains admissible in court and that the investigation maintains its integrity. In contrast, reviewing previously accessed files, logging filenames of open documents, and even looking at older documents can contribute to understanding the context of the crime without impacting the integrity of the data. These practices help build a clear picture of user activity while safeguarding the evidence collected at the scene.