CISM Certified Information Security Manager – Question1414 - CISM Certified Information Security Manager

When creating a forensic image of a hard drive, which of the following should be the FIRST step?

A. Identify a recognized forensics software tool to create the image.
B. Establish a chain of custody log.
C. Connect the hard drive to a write blocker.
D. Generate a cryptographic hash of the hard drive contents.

Correct Answer: B

Explanation:

Explanation:
The first step in any investigation requiring the creation of a forensic image should always be to maintain the chain of custody. Identifying a recognized forensics software tool to create the image is one of the important steps, but it should come after several of the other options. Connecting the hard drive to a write blocker is an important step, but it must be done after the chain of custody has been established. Generating a cryptographic hash of the hard drive contents is another important step, but one that comes after several of the other options.