To ensure proper evidence collection, which of the following steps should be performed FIRST?

A.
Take hashes from the live system

B.
Review logs

C.
Capture the system image

D.
Copy all compromised files

Explanation:
Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue
after the fact to learn more about it. This is essential since the collection of evidence process may result
in some mishandling and changing the exploited state.
Incorrect Answers:
A: Hashes helps to be able to illustrate the situation and should be done prior to an incident where
evidence is to be collected. NIST (the National Institute of Standards and Technology) maintains a
National Software Reference Library (NSRL). One of the purposes of the NSRL is to collect “known,
traceable software applications” through their hash values and store them in a Reference Data Set (RDS).
The RDS can then be used by law enforcement, government agencies, and businesses to determine which
files are important as evidence in criminal investigations. However, according to the order of volatility the
first task should be to capture the system image.
B: Review logs are part of collection of evidence, but in order of volatility it comes into the equation after
system images have been captured.
D: You first need to know which files were compromised to be able to copy compromised files.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 453-454