CompTIA CySA+ (CS0-001) — Question 213

A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT?

Answer options

• A. The analyst should create a backup of the drive and then hash the drive.
• B. The analyst should begin analyzing the image and begin to report findings.
• C. The analyst should create a hash of the image and compare it to the original drive's hash.
• D. The analyst should create a chain of custody document and notify stakeholders.

Correct answer: C

Explanation

The correct step is to create a hash of the image and compare it to the original drive's hash to ensure the integrity of the evidence. This step verifies that the copied data is identical to the original, which is crucial in forensic analysis. The other options involve actions that should happen after confirming the integrity of the image, such as analysis, reporting, or documentation.