In the initial stages of an incident response, Matt, the security administrator, was provided the hard
drives in question from the incident manager. Which of the following incident response procedures
would he need to perform in order to begin the analysis? (Select TWO).

A.
Take hashes

B.
Begin the chain of custody paperwork

C.
Take screen shots

D.
Capture the system image

E.
Decompile suspicious files

Explanation:
A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National Software
Reference Library (NSRL). One of the purposes of the NSRL is to collect “known, traceable software
applications” through their hash values and store them in a Reference Data Set (RDS). The RDS can then
be used by law enforcement, government agencies, and businesses to determine which fi les are
important as evidence in criminal investigations.
D: A system image is a snapshot of what exists. Capturing an image of the operating system in its
exploited state can be helpful in revisiting the issue after the fact to learn more about it.
Incorrect Answers:
B: Starting the chain of custody paperwork by the security administrator would be null and void since the
evidence involved has already been removed from the scene and he would not know where it has been
and who had in until it was given to him.
C: Taking screen shots may be too late since it is only the hard drives in question that were handed to the
security administrator by the incident manager. We could assume that the incident manager probably
already took screenshots.
E: Decompile suspicious files can only happen when the hard drives are mounted.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 453-454