Computer Hacking Forensic Investigator (CHFI) Practice Exam

The statement about turning on the computer and extracting Windows event viewer log files is incorrect in the context of preserving digital evidence. When it comes to forensic investigations, maintaining the integrity of digital evidence is paramount. This includes ensuring that no alterations are made to the data on the system being investigated.

Applying power to a system, particularly turning on a computer, risks changing its state and potentially modifying or overwriting important log files and other data. The Windows event viewer logs, for instance, can contain critical information regarding system activity and user actions, and accessing them while the system is live could compromise their integrity.

In the situation of a digital forensic investigation, the standard practice is to create a forensic image of the hard drive or storage device while the system is powered off, thereby preserving the exact state and contents of the data without risking modifications that could affect subsequent analysis. The other options focus on important preservation practices, such as documenting observations, checking the power state to understand the environment, and ensuring that changes are minimized during the examination process.