Bob was asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend for or against using a disk-imaging tool?

A. The evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file.
B. A simple DOS copy will not include deleted files, file slack, and other information.
C. There is no case for an imaging tool because it will use a closed, proprietary format that if compared with the original will not match up sector for sector.
D. A disk-imaging tool would check for internal self-checking and validation and have an MD5 checksum.

Answer: B. A simple DOS copy will not include deleted files, file slack, and other information.