CompTIA Security+ (SY0-501) — Question 732

A forensics analyst is investigating a hard drive for evidence of suspected illegal activity. Which of the following should the analyst do FIRST?

Answer options

• A. Create a hash of the hard drive.
• B. Export the Internet history.
• C. Save a copy of the case number and date as a text file in the root directory.
• D. Back up the pictures directory for further inspection.

Correct answer: A

Explanation

The correct action is to create a hash of the hard drive first, as this ensures the integrity of the evidence by providing a unique fingerprint of the data. Exporting Internet history, saving case details, or backing up directories should only occur after the integrity of the drive is secured, as they do not protect the evidence from alteration.