After acquiring a bit-stream image of a suspect hard drive, which of the following actions BEST ensures that the image can later be proven to be an exact, unaltered copy of the original evidence?
Compress the image to reduce its size before archiving it to long-term storage.
Store the image on a writable external drive that is protected by file-system permissions.
Calculate and document a cryptographic hash (e.g., SHA-256) of the image and verify it whenever the evidence is accessed.
Encrypt the image with a symmetric key known only to the investigative team.
Generating and recording a cryptographic hash (for example, SHA-256) immediately after imaging provides a unique digital fingerprint of the evidence. Any future alteration-no matter how small-would cause the hash to change, allowing investigators and the court to verify the image's integrity at every stage of the investigation. Encryption protects confidentiality but does not in itself prove that the data is unchanged. File-system permissions help control access but cannot detect tampering once the media is writable. Compression rewrites the data and therefore alters the original bit-level contents, destroying forensic soundness.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a hash value and how is it generated?
Open an interactive chat with Bash
Why is the integrity of evidence crucial in a forensic investigation?
Open an interactive chat with Bash
What are the implications if the hash value changes?