CompTIA Security Plus Mock Test Q487

A company executive’s laptop was compromised, leading to a security breach. The laptop was placed into storage by a junior system administrator and was subsequently wiped and re-imaged. When it was determined that the authorities would need to be involved, there was little evidence to present to the investigators. Which of the following procedures could have been implemented to aid the authorities in their investigation?

A. A comparison should have been created from the original system’s file hashes
B. Witness testimony should have been taken by the administrator
C. The company should have established a chain of custody tracking the laptop
D. A system image should have been created and stored

Correct Answer: D
Section: Compliance and Operational Security

A system image is a snapshot of what it and if a system image of the compromised system was created and stored, it is a useful tool when the authorities want to revisit the issue to investigate the incident.

Incorrect Answers:
A: Taking a hash of the device before and after image duplication is done to verify that the hash of the image copy being used in a forensic investigation has not changed. In this case the laptop was already compromised.
B: Witness testimony is not as useful as a system image that has been created and stored because issues of reliability come into play when people’s memory is relied on. The system image will not change as a person’s memory changes over time.
C: A chain of custody document details all the persons who had controlling authority over and access to the evidence. However, a chain of custody must be created and maintained from the moment evidence is discovered through the presentation of evidence in court. In this case the authorities are still investigating the issue.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 102, 104, 105