During a digital forensics investigation into a server suspected of hosting illicit materials, an investigator needs to collect evidence from the primary storage drive. To best ensure the collected data's integrity and admissibility in legal proceedings, which of the following actions should be performed?
Boot the server using a forensic live CD and copy all user-generated files to an external drive.
Remove the drive from the server and connect it to a forensic workstation to run a data recovery tool.
Create a bit-for-bit copy of the original drive onto sterile media and calculate cryptographic hashes of both.
Document the system time from the BIOS and take photographs of the running processes on the screen.
The most reliable and forensically sound method is to create a bit-for-bit copy (also known as a physical or forensic image) of the original drive. This process captures all data, including allocated files, deleted files, and data in unallocated space, without altering the original media, especially when a write-blocker is used. Calculating cryptographic hashes of both the original drive and the created image and confirming they match is a critical step to verify that the copy is an exact duplicate, thereby preserving evidence integrity. Copying only user-generated files (a logical acquisition) is incomplete. Documenting volatile system information is important but addresses a different type of evidence (volatile data) and does not preserve the storage drive itself. Simply connecting the drive to a workstation without first creating a verified image risks altering the original evidence.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a forensic image?
Open an interactive chat with Bash
Why is creating a forensic image preferred over taking screenshots?
Open an interactive chat with Bash
What are the risks of copying files to an external drive?
Open an interactive chat with Bash
ISC2 CISSP
Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access