In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO).
A.
Take hashes
B.
Begin the chain of custody paperwork
C.
Take screen shots
D.
Capture the system image
E.
Decompile suspicious files
1st thing here is that Matt received a drive and needs to record the time received etc.
or chain of custody.
Then take a hash of drive before doing anything with the data so as to be able to confirm the condition of drive upon receipt unaltered.
Next I would make a copy of drive so to be able to reconstruct events working with copy leaving original completely intact.
Then I would view drive and start decompiling suspicious files.
1) chain of custody (established due to drive changing hands (must be recorder)
2) hash the hard drive before any work is done (proves condition of data prior to any diagnosis etc.)
3) do a bit copy of data to another drive (never work on original evidence drive)
4) start forensics on drive with copy of original data
5) all this needs to be documented