Page 683 - StudyBook.pdf
P. 683
Operational and Organizational Security: Incident Response • Chapter 11 667
A. Photograph anything that is displayed on the screen
B. Open files and then save them to other media
C. Use disk imaging software to make a duplicate of the disk’s contents
D. Leave the system out of the forensic examination, and restore it to its pre-
vious state using a backup.
8. You have created an image of the contents of a hard disk to be used in a
forensic investigation.You want to ensure that this data will be accepted in
court as evidence.Which of the following tasks must be performed before it is
submitted to the investigator and prosecutor?
A. Copies of data should be made on media that’s forensically sterile.
B. Copies of data should be copied to media containing documentation on
findings relating to the evidence.
C. Copies of data can be stored with evidence from other cases, so long as
the media is read-only.
D. Delete any previous data from media before copying over data from this
case.
9. An investigator arrives at a site where all of the computers involved in the
incident are still running.The first responder has locked the room containing
these computers, but has not performed any additional tasks.Which of the fol-
lowing tasks should the investigator perform?
A. Tag the computers as evidence
B. Conduct a search of the crime scene, and document and photograph what
is displayed on the monitors
C. Package the computers so that they are padded from jostling that could
cause damage
D. Shut down the computers involved in the incident
10. You are part of an Incident Response Team investigating a hacking attempt on
a server.You have been asked to gather and document volatile evidence from
the computer.Which of the following would qualify as volatile evidence?
www.syngress.com
