A security incident may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO) . A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?
A) Install a new hard drive in the CEO's PC, and then remove the old hard drive and place it in a tamper-evident bag.
B) Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
C) Remove the CEO's hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches.
D) Refrain from completing a forensic analysis of the CEO's hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.
Correct Answer:
Verified
Q71: A company recently moved sensitive videos between
Q72: A vulnerability assessment report will include the
Q73: A user received an SMS on a
Q74: An enterprise has hired an outside security
Q75: The SOC is reviewing processes and procedures
Q77: Which of the following will provide the
Q78: A user recently entered a username and
Q79: A local coffee shop runs a small
Q80: Which of the following is a team
Q81: A pharmaceutical sales representative logs on to
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents