During a forensic disk acquisition, the response team must demonstrate that the resulting image is an exact, unaltered copy of the original media. Which of the following techniques BEST provides proof that the data remained unchanged during the acquisition process?
Seal the original drive in an anti-static bag with tamper-evident tape immediately after removal.
Verify the create and modify timestamps of files on the original drive and the image match.
Encrypt the forensic image with AES-256 before it is transferred to analysis systems.
Calculate cryptographic hash values of the original drive and the forensic image, then compare them.
Generating a cryptographic hash (such as SHA-256) of both the original drive and the forensic image and confirming that the two hash values are identical shows, bit-for-bit, that no data was modified during acquisition. Anti-static bags and tamper-evident seals protect physical media but do not verify data contents. Encrypting or compressing the image changes the file and still requires integrity verification afterward. Comparing timestamps only detects coarse changes and can be spoofed, so it is not considered reliable proof of data integrity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a cryptographic hash and why is it used in forensic imaging?
Open an interactive chat with Bash
Why isn't sealing the drive with tamper-evident tape enough to ensure data integrity?
Open an interactive chat with Bash
Why are timestamps not reliable for ensuring forensic image integrity?