When creating a forensic image of a hard drive, which of the following should be the FIRST step?
A.
Identify a recognized forensics software tool to create the image.
B.
Establish a chain of custody log.
C.
Connect the hard drive to a write blocker.
D.
Generate a cryptographic hash of the hard drive contents.
Explanation:
The first step in any investigation requiring the creation of a forensic image should always be to
maintain the chain of custody. Identifying a recognized forensics software tool to create the image
is one of the important steps, but it should come after several of the other options. Connecting the
hard drive to a write blocker is an important step, but it must be done after the chain of custody
has been established. Generating a cryptographic hash of the hard drive contents is another
important step, but one that comes after several of the other options.