Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition?
A.
Extract the hard drives from the compromised machines and then plug them into a forensics machine to apply encryption over the stored data to protect it from nonauthorized access.
B.
Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.
C.
Perform a disk sanitization using the command #dd if=/dev/zero of=/dev/sdc bs=1M over the media that will receive a copy of the collected data.
D.
Execute the command #dd if-/dev/sda of=/dev/sdc bs=512 to clone the evidence data to external media to prevent any further change.
D is so wrong, this command is going to nuke the drive, and no data will be copied.
Chain of custody should be done before taking a copy of data, because this defines what tools were used to obtain the data/who handled the copying. This is a crucial step for submitting data to court because this can help (along with hashing obv) prove the integrity of data
I need to go with D as first priority is preservation of evidence - create a mirror image of the disk preserve the original probably even create a hash value. B also has a lot of weighting so it is a bit chicken and egg here.
In my experience, that command will not be admissible if there is litigation. Using DD, you typically have to manually tell it to had the copy. That command does is not hashing.
B for sure. You need to know who handled the device and what the device is ect. before cloning it. Also, you want to get technical, you'd want to use a write blocker before anything because simply plugging it into something can change the drive. After write blocking, then you can consider imaging the disk.
Suppose you want to create an exact image of an entire disk of data that's been designated as /dev/sda. You've plugged in an empty drive (ideally having the same capacity as your /dev/sda system). The syntax is simple: if= defines the source drive and of= defines the file or location where you want your data saved:
# dd if=/dev/sda of=/dev/sdb
This section is not available anymore. Please use the main Exam Page.CS0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
nonjabusiness
Highly Voted 2 years, 7 months ago2Fish
2 years, 1 month agouday1985
Most Recent 1 year, 7 months agothesxeone
2 years, 2 months agoDutch012
1 year, 10 months agoStiobhan
2 years, 2 months ago2Fish
2 years, 1 month agoCyberNoob404
2 years, 3 months agoTKW36
2 years, 3 months agoreidsel
2 years, 4 months agoscubasteve814
2 years, 4 months agoSolventCourseisSCAM
2 years, 6 months agoKingDeeko
2 years, 6 months agoR00ted
2 years, 7 months agoAdrian831
2 years, 7 months ago