ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
You acquire a bit-by-bit image of a compromised production server for legal investigation. To preserve evidence integrity and maintain a defensible chain of custody, which action should you perform and record before any further examination of the image?
Run a memory forensics tool on the live system to capture volatile data.
Perform a timeline analysis of file system artifacts on the mounted image.
Compress the image with a lossless algorithm to speed subsequent transfers.
Calculate and document identical cryptographic hash values for the source drive and the acquired image.
Immediately after creating a forensic image, investigators calculate a cryptographic hash (for example, SHA-256) of both the original media and the image file. Matching hashes prove the image is an exact, untampered copy, satisfying evidentiary integrity requirements. Running memory tools, performing timeline analysis, or compressing the image may all be useful later, but none establish initial integrity or satisfy chain-of-custody documentation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a cryptographic hash, and why is it important in preserving evidence integrity?
Open an interactive chat with Bash
What is the chain of custody, and why must it be maintained in digital investigations?
Open an interactive chat with Bash
Why is calculating a hash value prioritized over other analyses like timeline or memory forensics initially?
Open an interactive chat with Bash
What is a cryptographic hash and why is it used in forensics?
Open an interactive chat with Bash
What is the chain of custody and how does it relate to evidence preservation?
Open an interactive chat with Bash
Why is compressing a forensic image not suitable for preserving integrity?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)