What is the recommended method to verify the integrity of a forensic image after acquisition?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

What is the recommended method to verify the integrity of a forensic image after acquisition?

Explanation:
You verify forensic image integrity by calculating cryptographic hashes for both the source data and the acquired image, then comparing them and securely storing the hash values and the method used. A cryptographic hash provides a compact, unique fingerprint of the exact bit pattern; if the hash of the source and the hash of the image match, you have strong evidence that the copy is a bit-for-bit replica and has not been altered during acquisition. Documenting the hash algorithm, tool, date, and storing the hash values supports a verifiable chain of custody and lets you reproduce the check later if needed. Encrypting the image protects confidentiality but doesn’t prove integrity. Simply copying and re-running tools or relying on file sizes alone don’t reliably detect changes, since data can be altered without changing size and without affecting a superficial check.

You verify forensic image integrity by calculating cryptographic hashes for both the source data and the acquired image, then comparing them and securely storing the hash values and the method used. A cryptographic hash provides a compact, unique fingerprint of the exact bit pattern; if the hash of the source and the hash of the image match, you have strong evidence that the copy is a bit-for-bit replica and has not been altered during acquisition. Documenting the hash algorithm, tool, date, and storing the hash values supports a verifiable chain of custody and lets you reproduce the check later if needed. Encrypting the image protects confidentiality but doesn’t prove integrity. Simply copying and re-running tools or relying on file sizes alone don’t reliably detect changes, since data can be altered without changing size and without affecting a superficial check.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy