CAS-003 Question #661: Real Exam Question with Answer & Explanation

The correct answer is A: Create an image of the hard drive. The foundational principle of digital forensics is evidence preservation. Creating a forensic image (bit-for-bit copy) of the hard drive first ensures that all evidence is captured and preserved in its original state before any investigation activity - such as log parsing or reme

Question

A security engineer discovers a PC may have been breached and accessed by an outside agent. The engineer wants to find out how this breach occurred before remediating the damage. Which of the following should the security engineer do FIRST to begin this investigation?

Options

ACreate an image of the hard drive
BCapture the incoming and outgoing network traffic
CDump the contents of the RAM
DParse the PC logs for information on the attacker.

Explanation

The foundational principle of digital forensics is evidence preservation. Creating a forensic image (bit-for-bit copy) of the hard drive first ensures that all evidence is captured and preserved in its original state before any investigation activity - such as log parsing or remediation - could alter or destroy artifacts. Investigation then proceeds on the copy, maintaining chain of custody and evidentiary integrity. Capturing network traffic (B) is useful for ongoing monitoring but does not preserve existing evidence. Dumping RAM (C) captures volatile data and is time-sensitive when the system is live, but the question frames this as an investigation start after the breach is discovered, and a drive image is the stable, non-volatile starting point. Parsing logs (D) is a downstream analysis step that should be performed on the forensic image, not the live system.

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice