CISSP Question #97: Real Exam Question with Answer & Explanation

The correct answer is B: Create a comparison database of cryptographic hashes of the files from a system with the same. A forensic specialist can exclude from examination a large percentage of operating system files residing on a copy of the target system by creating a comparison database of cryptographic hashes of the files from a system with the same operating system and patch level. This method

Submitted by andreas_gr· Mar 5, 2026Security Operations

Question

How can a forensic specialist exclude from examination a large percentage of operating system files residing on a copy of the target system?

Options

ATake another backup of the media in question then delete all irrelevant operating system files.
BCreate a comparison database of cryptographic hashes of the files from a system with the same
CGenerate a message digest (MD) or secure hash on the drive image to detect tampering of the
DDiscard harmless files for the operating system, and known installed programs.

Explanation

A forensic specialist can exclude from examination a large percentage of operating system files residing on a copy of the target system by creating a comparison database of cryptographic hashes of the files from a system with the same operating system and patch level. This method is also known as known file filtering or file signature analysis. It allows the forensic specialist to quickly identify and eliminate the files that are part of the standard operating system installation and focus on the files that are unique or relevant to the investigation. This makes the process of exclusion much faster and more accurate than manually deleting or discarding files.

Topics

#digital forensics#hash analysis#known file filtering#operating system files

Community Discussion

No community discussion yet for this question.

Full CISSP Practice Browse All CISSP Questions