Question
Why should a forensic investigator analyze a desktop computer on-site instead of taking it to a lab? (1 point)
Signing out would delete the SIEM.
Turning it off would delete the ROM.
Moving it would erase the RAM.
Disconnecting from the net would disrupt the FAT
Signing out would delete the SIEM.
Turning it off would delete the ROM.
Moving it would erase the RAM.
Disconnecting from the net would disrupt the FAT
Answers
GPT-4o mini
A forensic investigator should analyze a desktop computer on-site instead of taking it to a lab primarily because **moving it would erase the RAM**. When a computer is powered on, its RAM (Random Access Memory) stores volatile data, which can include important information relevant to an investigation, such as active sessions, unsaved work, or other transient data that may be critical to the forensic analysis. If the computer is turned off or moved, this data would be lost. While there are other considerations in terms of evidence preservation and maintaining the integrity of the investigation, the immediate loss of volatile data is a key reason for on-site analysis.