IsacaIsaca
CISM · Question #537
CISM Question #537: Real Exam Question with Answer & Explanation
The correct answer is D: Perform digital hashing of the original and the image.. Computing and comparing cryptographic hashes (e.g., MD5, SHA-1) of the original drive and the forensic image provides verifiable proof that every bit was copied exactly, ensuring integrity.
Submitted by femi9· Apr 18, 2026Information Security Incident Management
Question
An incident handler is preparing a forensic image of a hard drive. Which of the following MUST be done to provide evidence that the image is an exact copy of the original?
Options
- APerform a manual verification of file counts.
- BEncrypt and back up the hard drive before copying.
- CUse the same hardware for the image as the original.
- DPerform digital hashing of the original and the image.
Explanation
Computing and comparing cryptographic hashes (e.g., MD5, SHA-1) of the original drive and the forensic image provides verifiable proof that every bit was copied exactly, ensuring integrity.
Topics
#Forensic Imaging#Evidence Integrity#Digital Hashing#Incident Response
Community Discussion
No community discussion yet for this question.