Which three types of evidence can be added to a case in FTK?

In FTK, the ability to add evidence types is crucial for building and analyzing a case effectively. The correct selection highlights three specific forms of evidence: logical drive, contents of a folder, and acquired image of a drive.

A logical drive refers to one of the distinct sections of a storage device that is treated as an independent drive by the operating system. Analyzing a logical drive allows forensic examiners to access and investigate specific segments of data without needing to examine entire physical drives, which can be time-consuming.

The contents of a folder provide a focused view of the files and subfolders within a particular directory. This allows investigators to zero in on relevant files that may hold significant information pertinent to the case, rather than wading through irrelevant data.

An acquired image of a drive is a bit-for-bit copy of the entire drive, including all files, system data, and unallocated space. This type of evidence is critical for forensic investigations as it ensures the integrity of the data is preserved for analysis. By working with a drive image, examiners can perform detailed examinations without altering the original data.

The other choices, while they include various forms of data that can be integral to digital investigations, do not align as closely with the specific types that FT