During an investigation following a security breach, an analyst is tasked with identifying the source of the intrusion. Which of the following is the BEST method for the analyst to maintain the integrity of the evidence?
Generating a timestamp for each file on the system immediately upon acquisition.
Taking images of the system to be reviewed by the security team.
Creating a cryptographic hash of the storage media before analysis.
Making several copies of the system's database for cross-reference.
Creating a hash of the storage media ensures that any data retrieved remains unchanged from its original state. By comparing the initial hash value with a subsequent one, any changes to the data can be identified, thereby confirming the data's integrity throughout the analysis. Images and copies of the system, while useful for analysis, do not directly maintain the integrity of the original evidence. While timestamps can provide information about when data was created or modified, they do not protect or verify the integrity of the evidence.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a cryptographic hash and why is it important in digital forensics?
Open an interactive chat with Bash
What tools or methods are commonly used to create cryptographic hashes?
Open an interactive chat with Bash
What other methods can be used alongside cryptographic hashing to ensure data integrity?