You have been brought a computer from a network administrator to do a data recovery on$.$ The computer was in use by the CFO of the organization. The network administrator tells you that the CFO got wind that the company was going to be letting them go so they deleted the upcoming quarterly report from their computer and left the organization without notice.

You ask the administrator if anything has changed on the machine since the user left. He mentions that it may have done a Windows update. You take the disk from the computer and take an image of it using DD$.$ The image is then loaded into Autopsy and scanned for deleted files. You don't find any file artifacts using autopsy that would be of interest.

Why would you use an image and not the drive to conduct your investigation?

Answers

A$.$ Avoid accidentally writing to the drive could overwrite deleted files

B$.$ The disk could accidentally boot into the users Windows Desktop

C$.$ This avoids disk cache issues

D$.$ The image is quicker to load than the hard disk