CompTIA Exam Questions

Which of the following procedures could have been imple…

A company executive’s laptop was compromised, leading to a security breach. The laptop was placed into
storage by a junior system administrator and was subsequently wiped and re-imaged. When it was determined
that the authorities would need to be involved, there was little evidence to present to the investigators. Which of
the following procedures could have been implemented to aid the authorities in their investigation?

A.
A comparison should have been created from the original system’s file hashes

B.
Witness testimony should have been taken by the administrator

C.
The company should have established a chain of custody tracking the laptop

D.
A system image should have been created and stored

Explanation:
A system image is a snapshot of what it and if a system image of the compromised system was created and
stored, it is a useful tool when the authorities want to revisit the issue to investigate the incident.