During the containment phase of an incident response, a security analyst is instructed to preserve evidence from a Linux web server that was shut down after detecting outbound connections to a known command-and-control domain. Legal counsel emphasizes that any mistake during acquisition could render the evidence inadmissible in future civil litigation. The analyst has removed the 2 TB SATA drive and placed it in a forensic lab equipped with hardware write blockers, sterile destination media, and imaging software such as FTK Imager and dd. Which of the following actions will BEST satisfy forensic best practices for creating a defensible copy of the drive?
Boot the server with a trusted live CD and use rsync to copy only the /var and /home directories to an external USB drive
Perform a hypervisor-level snapshot of the virtual machine and export it to the SOC's NAS appliance
Attach the drive to a hardware write blocker and create a sector-by-sector (bit-for-bit) image while recording cryptographic hash values
Enable an LVM snapshot and run dd over SSH to stream the snapshot to a network-attached storage target
Attaching the physical disk to a hardware write blocker prevents any write commands from reaching the original media. Imaging tools can then create a sector-by-sector duplicate that captures active, deleted, and unallocated data. Cryptographic hash values calculated before and after imaging prove that the copy exactly matches the source, satisfying chain-of-custody and authenticity requirements for courtroom admissibility. The other options either mount the original system read/write, transmit data over the network without write protection, or create hypervisor snapshots that may omit unallocated sectors; each would risk altering or omitting evidence and could be challenged in court.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a hardware write blocker and why is it important in forensic imaging?
Open an interactive chat with Bash
What is a sector-by-sector (bit-for-bit) image, and why is it preferred in forensic investigations?
Open an interactive chat with Bash
What is the purpose of cryptographic hash values in forensic imaging?