ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-601 All Questions

View all questions & answers for the SY0-601 exam
Go to Exam

Exam SY0-601 topic 1 question 663 discussion

Actual exam question from CompTIA's SY0-601
Question #: 663
Topic #: 1
[All SY0-601 Questions]

A security incident may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO). A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

  • A. Install a new hard drive in the CEO's PC, and then remove the old hard drive and place it in a tamper-evident bag.
  • B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
  • C. Remove the CEO's hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches.
  • D. Refrain from completing a forensic analysis of the CEO's hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by mpengly88 at Sept. 15, 2023, 9:33 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mpengly88
Highly Voted 1 year, 8 months ago
Selected Answer: B
B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy. This option reflects the correct approach to creating a forensic copy of a hard drive. By using a write blocker, you ensure that no data is written to the original drive during the copying process, which might change the drive's state and potentially destroy evidence, contradicting the main principle of digital forensic analysis—to cause as little change as possible to the original data. Answer A could change data on the disk while changing the hard drive, compromising the integrity of the data. Answer C is not a valid process since the hard drive needs to be connected to a forensic workstation with a write blocker, not merely copying the files. Finally, Answer D is incorrect because creating a forensic copy as early as possible helps to preserve the evidence; the copy can be used for detailed analysis, not the original drive.
upvoted 8 times
...
shady23
Most Recent 1 year ago
Selected Answer: B
B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
upvoted 2 times
...
Geronemo
1 year ago
Selected Answer: B
Option B is the correct choice: Here's why: Write blocker: Connecting a write blocker to the hard drive ensures that no data can be written to the drive during the duplication process, preserving the integrity of the original evidence. Forensic workstation: Using a forensic workstation ensures that the duplication process is conducted in a controlled environment designed for forensic analysis, minimizing the risk of tampering or data alteration. dd command: The dd command is a reliable tool for creating bit-for-bit copies of storage devices. When used in a live Linux environment with the write blocker, it can create a duplicate copy of the CEO's hard drive without modifying the original data.
upvoted 2 times
...
Raven1366
1 year, 4 months ago
Selected Answer: B
Its definitely B but am considering C as well so he can sit next to you and be reprimanded for the whole duration of dd for being a bad boy and clicking on the free spreadsheet training link.
upvoted 3 times
...
fercho2023
1 year, 7 months ago
Definitively Yes Option B. Definitory Not, Option D.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel