CompTIA Security Plus Mock Test Q308

In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO).

A. Take hashes
B. Begin the chain of custody paperwork
C. Take screen shots
D. Capture the system image
E. Decompile suspicious files

Correct Answer: A,D
Section: Compliance and Operational Security

Explanation:
A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National Software Reference Library (NSRL). One of the purposes of the NSRL is to collect “known, traceable software applications” through their hash values and store them in a Reference Data Set (RDS). The RDS can then be used by law enforcement, government agencies, and businesses to determine which fi les are important as evidence in criminal investigations.
D: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.

Incorrect Answers:
B: Starting the chain of custody paperwork by the security administrator would be null and void since the evidence involved has already been removed from the scene and he would not know where it has been and who had in until it was given to him.
C: Taking screen shots may be too late since it is only the hard drives in question that were handed to the security administrator by the incident manager. We could assume that the incident manager probably already took screenshots.
E: Decompile suspicious files can only happen when the hard drives are mounted.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 453-454