During a forensic disk acquisition, the response team must demonstrate that the resulting image is an exact, unaltered copy of the original media. Which of the following techniques BEST provides proof that the data remained unchanged during the acquisition process?
Encrypt the forensic image with AES-256 before it is transferred to analysis systems.
Seal the original drive in an anti-static bag with tamper-evident tape immediately after removal.
Calculate cryptographic hash values of the original drive and the forensic image, then compare them.
Verify the create and modify timestamps of files on the original drive and the image match.
Generating a cryptographic hash (such as SHA-256) of both the original drive and the forensic image and confirming that the two hash values are identical shows, bit-for-bit, that no data was modified during acquisition. Anti-static bags and tamper-evident seals protect physical media but do not verify data contents. Encrypting or compressing the image changes the file and still requires integrity verification afterward. Comparing timestamps only detects coarse changes and can be spoofed, so it is not considered reliable proof of data integrity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a cryptographic hash function?
Open an interactive chat with Bash
Why is data integrity important in incident response?
Open an interactive chat with Bash
What is the difference between acquisition and analysis in digital forensics?