Computer evidence at a crime is preserved by making an exact copy of the hard disk. Which of the
following does this illustrate?
A.
Taking screenshots
B.
System image capture
C.
Chain of custody
D.
Order of volatility
Explanation:
A system image would be a snapshot of what exists at the moment. Thus capturing an image of the
operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more
about it.
Incorrect Answers:
A: Taking screenshots is akin to video and screenshots would be to capture all relevant screenshots for
later analysis.
C: Chain of custody is observed to ensure that each step taken with evidence is documented and
accounted for from the point of collection.
D: Order of volatility helps when dealing with multiple issues and volatility refers to the time that you
have to collect certain data before that window of opportunity is closed because some data will exist
longer than others.Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 453