A security incident may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO)
A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed.
Which of the following should be performed to accomplish this task?
A.
Install a new hard drive in the CEO's PC, and then remove the old hard drive and place it in a tamper-evident bag. B.
Connect a write blocker to the hard drive.
Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy. C.
Remove the CEO's hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches. D.
Refrain from completing a forensic analysis of the CEO's hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.
D.
A security incident may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO)
A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed.
Which of the following should be performed to accomplish this task?
A.
Install a new hard drive in the CEO's PC, and then remove the old hard drive and place it in a tamper-evident bag.
B.
Connect a write blocker to the hard drive.
Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
C.
Remove the CEO's hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches.
D.
Refrain from completing a forensic analysis of the CEO's hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.
D.
Option B is the correct answer.
When an organization's CEO's desktop PC is suspected of being involved in a security incident, it is important to securely store a duplicate copy of the CEO's hard drive to ensure appropriate forensic processes and chain of custody are followed. This process is critical because it helps preserve the evidence on the hard drive and ensures that it can be analyzed later in a controlled environment.
Option A is incorrect because it involves installing a new hard drive, which could overwrite or destroy important evidence. Instead, it is better to use a write blocker, which prevents any changes from being made to the original hard drive.
Option C is incorrect because it involves copying the contents of the hard drive onto a remote fileshare, which could also overwrite or modify important evidence. It is important to use a write blocker and create a duplicate copy of the hard drive in a controlled environment.
Option D is incorrect because refraining from completing a forensic analysis of the CEO's hard drive until after the incident is confirmed is not a best practice. Organizations should begin the forensic analysis as soon as possible to identify the scope of the incident and take appropriate actions to contain and remediate it.
Therefore, Option B is the best course of action. Connecting a write blocker to the hard drive and then using a forensic workstation to create a duplicate copy using the dd command in a live Linux environment is the best practice. This method ensures that the original hard drive is not modified, and a secure copy is created for further analysis.