Compromised Evidence Collection Process | SSCP Exam Answer

Compromised Evidence Collection Process

Prev Question Next Question

Question

In the process of gathering evidence from a computer attack, a system administrator took a series of actions which are listed below.

Can you identify which one of these actions has compromised the whole evidence collection process?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

Displaying the directory contents of a folder can alter the last access time on each listed file.

Using a write blocker is wrong because using a write blocker ensure that you cannot modify the data on the host and it prevent the host from writing to its hard drives.

Made a full-disk image is wrong because making a full-disk image can preserve all data on a hard disk, including deleted files and file fragments.

Created a message digest for log files is wrong because creating a message digest for log files.

A message digest is a cryptographic checksum that can demonstrate that the integrity of a file has not been compromised (e.g.

changes to the content of a log file) Domain: LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS References: AIO 3rd Edition, page 783-784 - NIST 800-61 Computer Security Incident Handling guide page 3-18 to 3-20

The action that has compromised the whole evidence collection process is option D, which is "Displayed the contents of a folder."

When gathering evidence from a computer attack, it is crucial to maintain the integrity of the evidence to ensure that it is admissible in court. To do so, the system administrator should use a write blocker, which prevents any changes to the original data. By using a write blocker, the system administrator ensures that the original data is preserved and not tampered with during the evidence collection process. Therefore, option A, which is "Using a write blocker," is a recommended action.

Additionally, the system administrator should create a full-disk image, which is an exact copy of the original disk. This image should be created using a forensic tool, and it should be saved to a secure location. This ensures that the original data is preserved, and any analysis can be conducted on the copy without modifying the original data. Therefore, option B, which is "Made a full-disk image," is also a recommended action.

Furthermore, creating a message digest for log files is another recommended action. A message digest, also known as a hash, is a unique code that is generated from the original data. This code can be used to verify the integrity of the data and ensure that it has not been modified. Therefore, option C, which is "Created a message digest for log files," is also a recommended action.

However, option D, which is "Displayed the contents of a folder," has compromised the evidence collection process because it can modify the data. When a file or folder is accessed or opened, the last accessed timestamp is updated. This means that displaying the contents of a folder can modify the last accessed timestamp, which can be used as evidence in court. Therefore, option D is not a recommended action.

In summary, the recommended actions for evidence collection from a computer attack are using a write blocker, creating a full-disk image, and creating a message digest for log files. Displaying the contents of a folder is not a recommended action as it can compromise the integrity of the evidence collection process.