An incident response team member needs to perform a forensics examination but does not have the
required hardware. Which of the following will allow the team member to perform the examination with
minimal impact to the potential evidence?

A.
Using a software file recovery disc

B.
Mounting the drive in read-only mode

C.
Imaging based on order of volatility

D.
Hashing the image after capture

Explanation:
Mounting the drive in read-only mode will prevent any executable commands from being executed. This
is turn will have the least impact on potential evidence using the drive in question.
Incorrect Answers:
A: A software file recovery disk will restore whatever was changed or modified to its operational saved
state and thus tamper with evidence which is contrary to what is required from the team member.
C: Images are used to restore operating systems and applications because it involves snapshots of what
exists on the hardware. The team member is supposed to perform a forensic procedure with that very
same hardware.
D: Hashing the image after capture will preserve that which exists at the moment and in this case the
team member must run a forensic procedure using the very same hardware.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 453-454, 461