CompTIA CySA+ (CS0-001) — Question 29

A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the
FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis?

Answer options

• A. Make a copy of the hard drive.
• B. Use write blockers.
• C. Run rm ""R command to create a hash.
• D. Install it on a different machine and explore the content.

Correct answer: B

Explanation

Using write blockers is essential as it prevents any modifications to the hard drive's data, ensuring the integrity of the evidence. Making a copy of the hard drive is important, but it should only be done after ensuring no changes can occur to the original. Running the rm ""R command is inappropriate because it would delete files, and installing the hard drive in another machine risks altering the data.