CompTIA Security Plus Mock Test Q299

The security manager received a report that an employee was involved in illegal activity and has saved data to a workstation’s hard drive. During the investigation, local law enforcement’s criminal division confiscates the hard drive as evidence. Which of the following forensic procedures is involved?

A. Chain of custody
B. System image
C. Take hashes
D. Order of volatility

Correct Answer: A
Section: Compliance and Operational Security

Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.

Incorrect Answers:
B: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. In this case the evidence has been confiscated which means that the chain of custody comes into the procedure that was followed.
C: Taking hashes is part of collecting data to be able to liiustrate the situation if the need arises. In this case evidence has been confiscated and the chain of custody becomes the important issue.
D: Act in Order of Volatility is of importance when dealing with multiple issues. Then you should address them in order of volatility (OOV); always deal with the most volatile first. In this case there is only one incident and one piece of evidence that has been confiscated which means that the chain of custody must be observed.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 448, 453, 454