CISSP Question #423: Real Exam Question with Answer & Explanation

The correct answer is C: Create a forensic image of the hard drive.. When conducting a forensic criminal investigation on a computer hard drive, the first thing that should be done prior to analysis is to create a forensic image of the hard drive. A forensic image is a bit-by-bit copy of the original data source that preserves the integrity and au

Submitted by lucia.co· Mar 5, 2026Security Operations

Question

When conducting a forensic criminal investigation on a computer had drive, what should be dene PRIOR to analysis?

Options

ACreate a backup copy of all the important files on the drive.
BPower off the computer and wait for assistance.
CCreate a forensic image of the hard drive.
DInstall forensic analysis software.

Explanation

When conducting a forensic criminal investigation on a computer hard drive, the first thing that should be done prior to analysis is to create a forensic image of the hard drive. A forensic image is a bit-by-bit copy of the original data source that preserves the integrity and authenticity of the evidence. A forensic image should be created using a write-blocker device or software that prevents any modification or alteration of the data on the hard drive. A forensic image should also be verified using a hash function that generates a unique value that can be used to validate the accuracy and completeness of the image. A forensic image can then be analyzed using forensic analysis software or tools without affecting the original data source.

Topics

#digital forensics#forensic imaging#evidence collection#incident response

Community Discussion

No community discussion yet for this question.

Full CISSP Practice Browse All CISSP Questions