What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.BE.
Disk images are a crucial element in digital forensics as they contain a bit-by-bit copy of a storage device, which can be used for analysis, investigation, and recovery in security incidents.
The difference between tampered and untampered disk images can significantly affect the outcome of a security incident, and the following are two differences between them:
Untampered images are used in the security investigation process: Untampered disk images are the primary source of evidence in the investigation process, as they contain an exact copy of the data on the storage device. These images are considered to be reliable and can be used to recover deleted or hidden files, track user activities, and identify malware or other threats. Any changes made to the original image can compromise the integrity of the evidence and affect the outcome of the investigation.
The image is untampered if the stored hash and the computed hash match: To ensure the integrity of the disk image, a hash value is generated based on the data in the original image, which is then stored along with the image. Later, during the investigation, a new hash value is computed from the copy of the image, and if it matches the stored hash value, it means that the image is untampered. An untampered image is reliable evidence that can be used in court or other legal proceedings.
Therefore, options A and E are the correct answers. Tampered images are not used in the investigation process, as they can lead to false conclusions and unreliable evidence. Instead, tampered images can be used in the incident recovery process, where the focus is on restoring the affected system to its original state or a known-good configuration. Option C is incorrect because it describes how to verify if the image is untampered, not tampered.