CompTIA CySA+ (CS0-003) — Question 27

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

Answer options

• A. Disable the user’s network account and access to web resources.
• B. Make a copy of the files as a backup on the server.
• C. Place a legal hold on the device and the user’s network share.
• D. Make a forensic image of the device and create a SHA-1 hash.

Correct answer: D

Explanation

Creating a forensic image of the device and generating a SHA-1 hash is crucial because it ensures that an exact duplicate of the data is obtained, preserving the integrity of the evidence. Other options, while they may mitigate risk, do not guarantee the preservation of all data in its original state as effectively as a forensic image does.