CISSP · Question #1496
CISSP Question #1496: Real Exam Question with Answer & Explanation
The correct answer is B: Make a copy of the hard drive. When preserving digital evidence from a desktop computer, the first priority is to create a forensic image of the hard drive to capture a bit-for-bit copy of volatile and stored data before anything else is done.
Question
What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?
Options
- ATake the computer to a forensic lab
- BMake a copy of the hard drive
- CStart documenting
- DTurn off the computer
Explanation
When preserving digital evidence from a desktop computer, the first priority is to create a forensic image of the hard drive to capture a bit-for-bit copy of volatile and stored data before anything else is done.
Common mistakes.
- A. Transporting the computer to a forensic lab before imaging risks physical damage, data alteration, or loss of volatile evidence that should have been captured on-site first.
- C. Documentation is critical but comes after securing the evidence itself; starting to document before imaging risks allowing data to change or be lost while time is spent writing notes.
- D. Turning off the computer without first imaging can destroy volatile data in RAM, active processes, and network connections that are part of the evidence and cannot be recovered after power loss.
Concept tested. Digital forensics chain of evidence preservation
Reference. https://www.nist.gov/system/files/documents/forensics/SP800-86.pdf
Topics
Community Discussion
No community discussion yet for this question.