In the initial stages of an incident response, Matt, the security administrator, was provided the hard
drives in question from the incident manager. Which of the following incident response procedures
would he need to perform in order to begin the analysis? (Select TWO).

A.
Take hashes

B.
Begin the chain of custody paperwork

C.
Take screen shots

D.
Capture the system image

E.
Decompile suspicious files

Explanation:
A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National
Software Reference Library (NSRL). One of the purposes of the NSRL is to collect “known,
traceable software applications” through their hash values and store them in a Reference Data Set
(RDS). The RDS can then be used by law enforcement, government agencies, and businesses to
determine which fi les are important as evidence in criminal investigations.
D: A system image is a snapshot of what exists. Capturing an image of the operating system in its
exploited state can be helpful in revisiting the issue after the fact to learn more about it.