CompTIA Security Plus Mock Test Q288

Computer evidence at a crime is preserved by making an exact copy of the hard disk. Which of the following does this illustrate?

A. Taking screenshots
B. System image capture
C. Chain of custody
D. Order of volatility

Correct Answer: B
Section: Compliance and Operational Security

A system image would be a snapshot of what exists at the moment. Thus capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.

Incorrect Answers:
A: Taking screenshots is akin to video and screenshots would be to capture all relevant screenshots for later analysis.
C: Chain of custody is observed to ensure that each step taken with evidence is documented and accounted for from the point of collection.
D: Order of volatility helps when dealing with multiple issues and volatility refers to the time that you have to collect certain data before that window of opportunity is closed because some data will exist longer than others.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 453