A cybersecurity incident response team at a financial institution has discovered a compromised employee workstation. Digital evidence needs to be collected for potential legal action. What should be the FIRST step in collecting digital evidence from the compromised workstation?
Document visible running processes and applications
Begin examining files directly on the live system
Shut down the system promptly to preserve evidence
The correct approach is to create a forensic image (bit-by-bit copy) of the storage media before beginning any analysis. This preserves the original state of the evidence and ensures that the original evidence isn't altered during examination. A forensic image captures all data on the device, including deleted files and slack space. This approach maintains the chain of custody and ensures that the evidence remains admissible in court. Direct examination of the live system risks altering timestamps, file metadata, and other crucial forensic artifacts. Similarly, shutting down the system could lose volatile memory (RAM) data which might contain valuable evidence about the attack. Documenting the system state is important but should follow proper imaging procedures, not precede them.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a forensic image and why is it important in digital evidence collection?
Open an interactive chat with Bash
What are the risks of examining files directly on a live system?
Open an interactive chat with Bash
What is meant by the 'chain of custody' and why is it important?
Open an interactive chat with Bash
ISC2 CISSP
Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access