CompTIA CySA+ (CS0-003) — Question 201

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?

Answer options

• A. Chain of custody was not maintained for the evidence drive.
• B. Legal authorization was not obtained prior to seizing the evidence drive.
• C. Data integrity of the imaged drive could not be verified.
• D. Evidence drive imaging was performed without a write blocker.

Correct answer: D

Explanation

The correct answer is D because using a write blocker is crucial to prevent any modification of the evidence drive during the imaging process, which can lead to hash mismatches. Options A and B pertain to procedural errors, while option C suggests a verification issue but does not address the specific cause of the hash difference.