ISC2 CISSP Practice Question

The correct answer is creating a bit-by-bit image using write blockers. When performing digital forensics, maintaining evidence integrity is paramount. A bit-by-bit image (also called a forensic image or bitstream copy) creates an exact duplicate of the original media at the binary level, including deleted files, slack space, and unallocated space. Write blockers are hardware or software tools that prevent any modifications to the original evidence during the imaging process, ensuring that the original data remains unchanged and maintaining the chain of custody. This approach preserves the integrity of the evidence and follows proper forensic procedures.

Hashing the original and the copy ensures that they are identical, which is part of the verification process but not the primary imaging method. Taking screenshots provides only visual evidence of visible data but doesn't capture hidden or deleted data. Running a virus scan on the original drive would potentially modify file access times and could destroy evidence, violating a fundamental principle of digital forensics: do not alter the original evidence.