An incident response team member needs to perform a forensics examination but does not have the required hardware. Which of the following will allow the team
member to perform the examination with minimal impact to the potential evidence?

A.
Using a software file recovery disc

B.
Mounting the drive in read-only mode

C.
Imaging based on order of volatility

D.
Hashing the image after capture

Explanation:
Mounting the drive in read-only mode will prevent any executable commands from being executed. This is turn will have the least impact on potential evidence
using the drive in question.
Incorrect Answers:
A: A software file recovery disk will restore whatever was changed or modified to its operational saved state and thus tamper with evidence which is contrary to
what is required from the team member.
C: Images are used to restore operating systems and applications because it involves snapshots of what exists on the hardware. The team member is supposed to
perform a forensic procedure with that very same hardware.
D: Hashing the image after capture will preserve that which exists at the moment and in this case the team member must run a forensic procedure using the very

same hardware.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453-454, 461