A company executive’s laptop was compromised, leading to a security breach. The laptop was placed into
storage by a junior system administrator and was subsequently wiped and re-imaged. When it was
determined that the authorities would need to be involved, there was little evidence to present to the
investigators. Which of the following procedures could have been implemented to aid the authorities in
their investigation?

A.
A comparison should have been created from the original system’s file hashes

B.
Witness testimony should have been taken by the administrator

C.
The company should have established a chain of custody tracking the laptop

D.
A system image should have been created and stored

Explanation:
A system image is a snapshot of what it and if a system image of the compromised system was created
and stored, it is a useful tool when the authorities want to revisit the issue to investigate the incident.
Incorrect Answers:
A: Taking a hash of the device before and after image duplication is done to verify that the hash of the
image copy being used in a forensic investigation has not changed. In this case the laptop was already
compromised.
B: Witness testimony is not as useful as a system image that has been created and stored because issues
of reliability come into play when people’s memory is relied on. The system image will not change as a
person’s memory changes over time.
C: A chain of custody document details all the persons who had controlling authority over and access to
the evidence. However, a chain of custody must be created and maintained from the moment evidence is
discovered through the presentation of evidence in court. In this case the authorities are still investigating
the issue.

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 102, 104, 105