CompTIA Security Plus Mock Test Q287

Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools?

A. Identify user habits
B. Disconnect system from network
C. Capture system image
D. Interview witnesses

Correct Answer: C
Section: Compliance and Operational Security

Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. Very much as helpful in same way that a virus sample is kept in laboratories to study later after a breakout. Also you should act in the order of volatility which states that the system image capture is first on the list of a forensic analysis.

Incorrect Answers:
A: User habits involves password behavior, data handling, clean desk issues, tail gating and personally owned devices that they bring to the workplace. Not useful to analyze a hard drive with forensic tools.
B: Disconnecting the system from the network will change the state that the hard drive is in at present and as such disconnecting will defeat the purpose of the analysis with forensic tools.
D: Interviewing witnesses would be the users and not the hard drive which is to be forensically analyzed. Though important, it just refers to the fact that the sooner you learn about what happened from witnesses the better since over time, details and reflections can change and you would want to collect their thoughts before such changes occur.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 453-454