Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with
forensics tools?

A.
Identify user habits

B.
Disconnect system from network

C.
Capture system image

D.
Interview witnesses

Explanation:
Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue
after the fact to learn more about it. Very much as helpful in same way that a virus sample is kept in
laboratories to study later after a breakout. Also you should act in the order of volatility which states that
the system image capture is first on the list of a forensic analysis.
Incorrect Answers:
A: User habits involves password behavior, data handling, clean desk issues, tail gating and personally
owned devices that they bring to the workplace. Not useful to analyze a hard drive with forensic tools.
B: Disconnecting the system from the network will change the state that the hard drive is in at present
and as such disconnecting will defeat the purpose of the analysis with forensic tools.
D: Interviewing witnesses would be the users and not the hard drive which is to be forensically analyzed.
Though important, it just refers to the fact that the sooner you learn about what happened from
witnesses the better since over time, details and reflections can change and you would want to collect
their thoughts before such changes occur.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 453-454