When creating a forensic image of a hard drive, which of the following should be the FIRST step?
A . Identify a recognized forensics software tool to create the image.
B . Establish a chain of custody log.
C . Connect the hard drive to a write blocker.
D . Generate a cryptographic hash of the hard drive contents.
Answer: B
Explanation:
The first step in any investigation requiring the creation of a forensic image should always be to maintain the chain of custody. Identifying a recognized forensics software tool to create the image is one of the important steps, but it should come after several of the other options. Connecting the hard drive to a write blocker is an important step, but it must be done after the chain of custody has been established. Generating a cryptographic hash of the hard drive contents is another important step, but one that comes after several of the other options.
Leave a Reply