In the process of gathering evidence from a computer attack, a system administrator took a series of actions
which are listed below. Can you identify which one of these actions has compromised the whole evidence
collection process?
A.
Using a write blocker
B.
Made a full-disk image
C.
Created a message digest for log files
D.
Displayed the contents of a folder
Explanation:
The original media should have two copies created: a primary image (a control copy that is stored in a library)
and a working image (used for analysis and evidence collection). These should be timestamped to show when
the evidence was collected. Displaying the contents of a folder would affect the original media, and would
compromise the evidence collection process.
Incorrect Answers:
A: A write blocker would be a step to secure the integrity of the media.
B: Making a full-disk image would be a part of the investigation process.
C: To create a message digest for log files would be part of the documentation.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1049