Great care must be taken to capture clues from a computer or device during a forensics exercise. Which of the following does not correctly describe the efforts that should be taken to protect an image?

A.
The original image should be hashed with MD5 and/or SHA-256.

B.
Two time-stamped images should be created.

C.
New media should be properly purged before images are created on them.

D.
Some systems must be imaged while they are running.

Explanation:
D: Acquiring evidence on live systems and those using network storage complicates matters because you cannot turn off the system in order to make a
copy of the hard drive. Business-critical systems commonly cannot suffer downtime. So these systems and others, such as those using on-the-fly
encryption, must be imaged while they are running. Thus, the answer, “Some systems must be imaged while they are running,” is correct in and of itself.
However, this measure is not one that is taken to protect an image, as the question specifies. It is taken to avoid interrupting business operations.
A is incorrect because hashing the original image with MD5 or SHA-256 is a measure that is taken to protect the original image during the investigative
process. To ensure that the original image is not modified, it is important to create message digests for files and directories before and after the analysis to
prove the integrity of the original image. MD5 and SHA-256 are just two of the hashing algorithms that can be used to ensure the integrity of image data.
B is incorrect because two time-stamps should be created to ensure the integrity of the data during the investigative process. The original media should
have two copies created: a primary image (a control copy that is stored in a library) and a working image (used for analysis and evidence collection). These
should be time-stamped to show when the evidence was collected. The investigator works from the duplicate image because it preserves the original
evidence, prevents inadvertent alteration of original evidence during examination, and allows re-creation of the duplicate image if necessary.
C is incorrect because when newly created images need to be saved to a new medium, the medium has to be “clean” of any residual data. Purging a
new medium before an image is created and saved to it is a necessary measure to ensure that any old data does not contaminate the images. The
investigator must make sure the new medium has been properly purged, meaning it does not contain any residual data. Some incidents have occurred
where drives that were new and right out of the box (shrink-wrapped) contained old data not purged by the vendor.