In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in
question from the incident manager. Which of the following incident response procedures would he need to
perform in order to begin the analysis? (Choose two.)
Begin the chain of custody paperwork
Take screen shots
Capture the system image
Decompile suspicious files
A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National Software
Library (NSRL). One of the purposes of the NSRL is to collect “known, traceable software
applications” through their hash values and store them in a Reference Data Set(RDS). The RDS can then be
used by law enforcement, government agencies, and businesses to determine which files are important as
evidence in criminal investigations.
D: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited
state can be helpful in revisiting the issue after the fact to learn more about it.