Certified Information Security Manager (CISM) — Question 716

Prior to conducting a forensic examination, an information security manager should:

Answer options

• A. boot the original hard disk on a clean system.
• B. create an image of the original data on new media.
• C. duplicate data from the backup media.
• D. shut down and relocate the server.

Correct answer: B

Explanation

Creating an image of the original data on new media is essential to ensure that the original evidence remains unaltered during analysis. Booting the original hard disk or duplicating data from backup media may compromise the integrity of the evidence, while shutting down and relocating the server does not directly facilitate a forensic examination.