Certified Information Security Manager (CISM) — Question 183

A desktop computer is being used to perpetrate a fraud, and data on the machine must be secured for evidence. Which of the following should be done FIRST?

Answer options

• A. Encrypt the content of the hard drive using a strong algorithm.
• B. Obtain a hash of the desktop computer's internal hard drive.
• C. Copy the data on the computer to an external hard drive.
• D. Capture a forensic image of the computer.

Correct answer: B

Explanation

The first action should be to obtain a hash of the internal hard drive to ensure the integrity of the data before any further actions are taken. This step is crucial for maintaining a verifiable state of the evidence. Options A, C, and D, while important, should follow after establishing the initial hash to guarantee that the data remains unchanged.