which one of these actions has compromised the whole ev…

In the process of gathering evidence from a computer attack, a system administrator took a series of actions
which are listed below. Can you identify which one of these actions has compromised the whole evidence
collection process?

In the process of gathering evidence from a computer attack, a system administrator took a series of actions
which are listed below. Can you identify which one of these actions has compromised the whole evidence
collection process?

A.
Using a write blocker

B.
Made a full-disk image

C.
Created a message digest for log files

D.
Displayed the contents of a folder

Explanation:
The original media should have two copies created: a primary image (a control copy that is stored in a library)
and a working image (used for analysis and evidence collection). These should be timestamped to show when
the evidence was collected. Displaying the contents of a folder would affect the original media, and would
compromise the evidence collection process.
Incorrect Answers:
A: A write blocker would be a step to secure the integrity of the media.
B: Making a full-disk image would be a part of the investigation process.
C: To create a message digest for log files would be part of the documentation.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1049



Leave a Reply 0

Your email address will not be published. Required fields are marked *