CISM Certified Information Security Manager – Question1409 - CISM Certified Information Security Manager

In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?

A. Perform a backup of the suspect media to new media.
B. Perform a bit-by-bit image of the original media source onto new media.
C. Make a copy of all files that are relevant to the investigation.
D. Run an error-checking program on all logical drives to ensure that there are no disk errors.

Correct Answer: B

Explanation:

Explanation:
The original hard drive or suspect media should never be used as the source for analysis. The source or original media should be physically secured and only used as the master to create a bit-by-bit image. The original should be stored using the appropriate procedures, depending on location. The image created for forensic analysis should be used. A backup does not preserve 100 percent of the data, such as erased or deleted files and data in slack space — which may be critical to the investigative process. Once data from the source are altered, they may no longer be admissible in court. Continuing the investigation, documenting the date, time and data altered, are actions that may not be admissible in legal proceedings. The organization would need to know the details of collecting and preserving forensic evidence relevant to their jurisdiction.