CompTIA Security+ (SY0-501) — Question 382

Which of the following needs to be performed during a forensics investigation to ensure the data contained in a drive image has not been compromised?

Answer options

• A. Follow the proper chain of custody procedures.
• B. Compare the image hash to the original hash.
• C. Ensure a legal hold has been placed on the image.
• D. Verify the time offset on the image file.

Correct answer: B

Explanation

The correct answer is B because comparing the image hash to the original hash is crucial for verifying data integrity. While following chain of custody procedures, ensuring a legal hold, and verifying time offsets are important for legal and procedural reasons, they do not directly confirm whether the data has been altered.