CompTIA CySA+ (CS0-002) — Question 147

During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the following actions should the analyst perform NEXT to ensure the data integrity of the evidence?

Answer options

• A. Generate hashes for each file from the hard drive.
• B. Create a chain of custody document.
• C. Determine a timeline of events using correct time synchronization.
• D. Keep the cloned hard drive in a safe place.

Correct answer: A

Explanation

Generating hashes for each file ensures that the evidence can be verified and has not been altered since collection, making it crucial for data integrity. While creating a chain of custody and securing the cloned drive are important, they do not directly address the immediate need to confirm the integrity of the data itself, which is why option A is the best choice.