PrepAway - Latest Free Exam Questions & Answers

When creating a forensic image of a hard drive, which of the following should be the FIRST step?

When creating a forensic image of a hard drive, which of the following should be the FIRST step?

A. Identify a recognized forensics software tool to create the image.

B. Establish a chain of custody log.

C. Connect the hard drive to a write blocker.

D. Generate a cryptographic hash of the hard drive contents.

Explanation:

The first step in any investigation requiring the creation of a forensic image should always be to maintain the chain of custody. Identifying a recognized forensics software tool to create the image is one of the important steps, but it should come after several of the other options. Connecting the hard drive to a write blocker is an important step, but it must be done after the chain of custody has been established. Generating a cryptographic hash of the hard drive contents is another important step, but one that comes after several of the other options.


Leave a Reply