CompTIA CySA+ (CS0-003) — Question 166

Which of the following evidence collection methods is most likely to be acceptable in court cases?

Answer options

• A. Copying all access files at the time of the incident
• B. Creating a file-level archive of all files
• C. Providing a full system backup inventory
• D. Providing a bit-level image of the hard drive

Correct answer: D

Explanation

Providing a bit-level image of the hard drive is considered the most reliable method for evidence collection as it captures an exact replica of the data on the drive, including deleted files and unallocated space. The other options, while useful, do not provide the same level of detail or integrity needed for legal proceedings.