CompTIA CySA+ (CS0-002) — Question 301

Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition?

Answer options

• A. Extract the hard drives from the compromised machines and then plug them into a forensics machine to apply encryption over the stored data to protect it from nonauthorized access.
• B. Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.
• C. Perform a disk sanitization using the command #dd if=/dev/zero of=/dev/sdc bs=1M over the media that will receive a copy of the collected data.
• D. Execute the command #dd if-/dev/sda of=/dev/sdc bs=512 to clone the evidence data to external media to prevent any further change.

Correct answer: B

Explanation

The correct answer is B because establishing a chain-of-custody is essential to maintain the integrity and authenticity of the evidence collected. Options A, C, and D are incorrect as they involve actions taken after the initial documentation of the evidence, which is critical for legal and investigative processes.