CompTIA Security Plus Mock Test Q285

An incident response team member needs to perform a forensics examination but does not have the required hardware. Which of the following will allow the team member to perform the examination with minimal impact to the potential evidence?

A. Using a software file recovery disc
B. Mounting the drive in read-only mode
C. Imaging based on order of volatility
D. Hashing the image after capture


Correct Answer: B
Section: Compliance and Operational Security

Explanation:
Mounting the drive in read-only mode will prevent any executable commands from being executed. This is turn will have the least impact on potential evidence using the drive in question.

Incorrect Answers:
A: A software file recovery disk will restore whatever was changed or modified to its operational saved state and thus tamper with evidence which is contrary to what is required from the team member.
C: Images are used to restore operating systems and applications because it involves snapshots of what exists on the hardware. The team member is supposed to perform a forensic procedure with that very same hardware.
D: Hashing the image after capture will preserve that which exists at the moment and in this case the team member must run a forensic procedure using the very same hardware.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 453-454, 461