CompTIA Security Plus Mock Test Q289

To ensure proper evidence collection, which of the following steps should be performed FIRST?

A. Take hashes from the live system
B. Review logs
C. Capture the system image
D. Copy all compromised files

Correct Answer: C
Section: Compliance and Operational Security

Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. This is essential since the collection of evidence process may result in some mishandling and changing the exploited state.

Incorrect Answers:
A: Hashes helps to be able to illustrate the situation and should be done prior to an incident where evidence is to be collected. NIST (the National Institute of Standards and Technology) maintains a National Software Reference Library (NSRL). One of the purposes of the NSRL is to collect “known, traceable software applications” through their hash values and store them in a Reference Data Set (RDS). The RDS can then be used by law enforcement, government agencies, and businesses to determine which files are important as evidence in criminal investigations. However, according to the order of volatility the first task should be to capture the system image.
B: Review logs are part of collection of evidence, but in order of volatility it comes into the equation after system images have been captured.
D: You first need to know which files were compromised to be able to copy compromised files.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 453-454