A security modern may have occurred on the desktop PC of an organization’s Chief Executive Officer (CEO) A duplicate copy of the CEO’s hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed.
Which of the following should be performed to accomplish this task?
A . Install a new hard drive in the CEO’s PC, and then remove the old hard drive and place it in a tamper-evident bag
B . Connect a write blocker to the hard drive Then leveraging a forensic workstation, utilize the dd command m a live Linux environment to create a duplicate copy
C . Remove the CEO’s hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches
D . Refrain from completing a forensic analysts of the CEO’s hard drive until after the incident is confirmed, duplicating the hard drive at this stage could destroy evidence
Answer: D