An incident responder needs to create a forensic image of a suspect hard drive. What is the correct procedure to ensure evidence integrity?
Correct. Write blocker prevents writes, and hash verification ensures integrity.
Why this answer
Option A is correct because forensic imaging requires a write blocker to prevent any modification to the original evidence, a bit-for-bit (sector-level) copy to capture all data including slack space and deleted files, and cryptographic hashing (SHA-256) both before and after imaging to verify that the image is an exact, unaltered duplicate of the source. This process ensures the integrity and admissibility of digital evidence in legal proceedings.
Exam trap
The trap here is that candidates may think booting the system or simply copying files is sufficient, but the SSCP exam emphasizes that any write activity to the original evidence breaks the chain of custody and invalidates the forensic integrity.
How to eliminate wrong answers
Option B is wrong because booting the suspect system alters the system state (e.g., writes temporary files, updates logs, changes timestamps), which modifies evidence and violates forensic best practices. Option C is wrong because simply placing the drive in an anti-static bag and shipping it does not create a forensic image; imaging must be performed to preserve the data, and the procedure omits write-blocking and hashing. Option D is wrong because connecting the drive directly without a write blocker risks accidental writes to the source, and copying files (rather than creating a bit-for-bit image) loses metadata, slack space, and deleted data; MD5 is also less collision-resistant than SHA-256 for modern forensic standards.