CompTIA CySA+ (CS0-001) — Question 60

A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (Choose two.)

Answer options

• A. Validate the folder and file directory listings on both.
• B. Check the hash value between the image and the original.
• C. Boot up the image and the original systems to compare.
• D. Connect a write blocker to the imaging device.
• E. Copy the data to a disk of the same size and manufacturer.

Correct answer: B, C

Explanation

The correct process to ensure the integrity of the image includes checking the hash value between the image and the original (B), as this verifies that the data has not changed. Booting up the systems (C) is not a standard method for validating image integrity and can introduce variables that affect comparison, making it unreliable. The other options do not directly confirm the exact match of data between the original and the image.