CompTIA Security+ (SY0-601) — Question 756

A security incident may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO). A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

Answer options

• A. Install a new hard drive in the CEO's PC, and then remove the old hard drive and place it in a tamper-evident bag.
• B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
• C. Remove the CEO's hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches.
• D. Refrain from completing a forensic analysis of the CEO's hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.

Correct answer: B

Explanation

Option B is correct because it uses a write blocker and the dd command in a controlled environment to create a forensic copy without altering the original data, thereby preserving the integrity of the evidence. Option A fails to maintain the integrity of the original drive since it involves replacing it and may not secure evidence properly. Option C compromises the chain of custody by allowing the CEO to watch the copying process, which could lead to unintentional evidence tampering. Option D is incorrect as timely duplication is essential for preserving evidence, and waiting could risk data loss.