Exam CS0-002 topic 1 question 303 discussion

I'm leaning towards B since you wouldn't create a hash of each file, you'd create a hash of the disk image. The chain of custody document is started as soon as the evidence has been acquired. So this leads me to believe that B is the correct answer here since that's exactly what the question states so I think that's what they are looking for here.

"data integrity" going with A

key word there is integrity anytime u hear that word think of hashing.

Creating a chain of custody document is also important to maintain the integrity of the evidence, as it records the movement of the evidence from the point of acquisition to the point of presentation in court. However, this step is usually performed after the initial data integrity checks are performed.

Integrity of evidence = B "DATA Integrity" = A The question is ask for data integrity in this case the answer would be A.

guys please pay attention to the key words INTEGRITY.... For this reason alone, i will go with option A. even before creating a chain of custody, i think that proving that the data hasnt been changed is more important.

Going with A. It says fileS off the HDD.

Hashing is a technique that ensures the integrity of data by generating a unique digital fingerprint for each file. If the file is changed in any way, the hash value will also change, alerting the investigator to the modification. However, the hash value does not provide a documented history of the evidence, which is the primary function of the chain of custody document.

A. I was torn between A and B until i re-read. Question did not mention this was a forensic Disk Clone. If it was and was done with Encase or FTK, then the Drive contents or image would already be hashed. If they used DD, you have to manually hash the duplication. None of those are mentioned. It says acquired the needed evidence from the hard drive. I take that as .. some files were acquired from the drive. With that being said.. I would hash before and after acquiring the evidence.

Hash first then create your chain of custody. Because if you don’t hash them you won’t know they have been altered.

The chain of custody document should already exist. If the security analyst is just creating it at this step, you can throw that case out - won't stand up in court - so the answer is A

A forensic cloning of a storage device consists of copying all the contents of a hard disk, bit by bit, to another storage device or image file, obtaining the hash signature of the bits read during the process. With this, an exact low-level copy of all the contents of the hard disk is obtained in addition to certifying the correspondence of its content with the original by matching the hash signatures. A hash signature is nothing more than an alphanumeric character string obtained from cloned information. When the hash signature of the source device and the destination device are generated, both have to match to certify the chain of custody. If a single bit changes in the cloning process, it will mean that the hash signature of the source and destination devices do not match, the chain of custody has not been maintained and the test has been altered. Based on the question, the cloning task it's done (hashes has been generated as well), so next step is to create the chain of custody document.

Create a hash of each file on the original hard drive. If we have the hash of an overall drive and a file gets changed, we know the overall hash will be altered. If you hash each file, though time consuming for sure, you'll at least have the ability to back track. You notice the HDD hash is different, check out partition hashes, yup this one changed, wonder what folder, oh this one cool, now what file. It makes it easier to ensure the integrity of each piece is kept and makes it easier to back track. Also if the analysis didn't already have the chain of custody for completed then her next step shouldn't be any of these. It should be--> E. file papers of resignation.

A very tricky one this: A- Would ensure integrity as the hashes would show whether or not the data has been edited. B- Would ensure Integrity as you know who has handled it the hard drive assuming you noticed the change. The question is, which would you do FIRST? I guess you could make a case for either: Hash first- Shows that no one has edited it thereafter, but someone could someone edit before hashing and would you know who hashed it if chain of custody wasn't yet in place. Chain of Custody first- Would you definitely notice the change? I guess it isn't asking which is best it's asking which you'd do first so Part of me thinks get them hashed to be sure of their integrity The other part thinks let's just be sure of whom has handled it....

The analyst should generate hashes for each file from the hard drive to ensure the integrity of the evidence and confirm that the data has not been tampered with or altered during the acquisition process. This will provide a secure means of verifying the authenticity of the evidence during any further analysis or in the event of a legal proceeding. After generating the hashes, the analyst can then create a chain of custody document to track the handling and storage of the evidence. Keeping the cloned hard drive in a safe place will also help maintain the integrity of the evidence.

The next action the analyst should perform is to create a chain of custody document. A chain of custody document provides a clear record of who had possession of the evidence, when they had it, and what they did with it. This helps to ensure the integrity of the evidence and helps to provide a clear record of its use in the investigation. This is important in ensuring the authenticity of the evidence in the case it is needed in a legal proceeding.