An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?
An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?
To preserve evidence in the context of a suspected misuse of a company-issued laptop, the best step is to make a forensic image of the device. This ensures that an exact copy of the data, files, and settings on the laptop is preserved in a forensically sound manner. The process of creating a forensic image maintains the integrity of the original data and ensures it remains unaltered, which is crucial for any investigation or potential legal proceedings. Although SHA-1 has been deprecated, the primary focus here is on the creation of the forensic image itself, which is the most reliable method to preserve the digital evidence.
Read the question, "An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?" The focus is the laptop. We need to image it and hash the image. The answer cant be legal hold as there is not regulatory or legal invoked. It says he misused the laptop, no detail was given to how it was misused. There are a number of things he could have been doing which would have been against company policy, but would not have triggered a legal hold. There is nothing to indicate there is potential litigation pending.
SHA-1 was deprecated for use by NIST.
Came back to this one. Sure enough, SHA-1 was indeed deprecated last year (2022). I agree with C being the best option since D can be eliminated.
To my understanding answer C Legal Hold is the right answer here... A legal hold is the process by which an organization advises personnel when information must be preserved for potential litigation matters or investigations. Answer D - forensic image, would be for preserving an infected server... which is not the case here.
Muvisan, a forensic copy is not only used on an infected server. It is used to make a backup copy to ensure that it is not modified for legal action. Given that it is pending an investigation by HR I think your answer is correct.
Correct. Creating a forensic image of the company-issued laptop ensures that an exact copy of the device's data, files, and settings is preserved in a forensically sound manner. This ensures that the original data remains intact and unaltered, which is crucial for any potential investigation or legal proceedings.
Forensic imaging. Do not focus on the laptop. Focus on the question.
The SHA-1 part is weird, but C can not actually stop a user from making changes until the laptop is seized, so that is why I chose D.
Sha1 is very old is not advised to be used as it is very insecure...
This approach ensures that a complete and exact copy of all the data on the device is made, which is essential for a forensic investigation. The SHA-1 hash is used to verify the integrity of the data, ensuring that the forensic image is an exact, unaltered copy of the original data. This is critical for legal and investigative purposes, as it ensures the admissibility of the evidence in any potential legal proceedings.
NIST recommended SHA-1 should be phased out by Dec. 31, 2030 as far as I know this question doesnt mention taking place in the future. SHA-1 would be a problem here if there was a hashed password that they were trying to secure. There isnt one, so thats not even the problem being addressed here. Also what if the user has a logic bomb that says "if i dont log in to my network share account in X amount of time, just wipe my account." Now while the law is creeping slowly toward a resolution that account is being wiped. I argue that one should forensically copy that persons device and their storage on the network share drive hash it. Im gonna argue for D on this one, however im open to the wisdom/counter arguments of others.
Also... The question asks for BEST solution not for the FIRST step. Hear me out. Sure sha1 was deprecated... but it was done so because of the expected ease of AI having the ability to crack/ brute force it, which wouldnt be a problem here as their goal here is to ensure that evidence is preserved, which having a hash of the drive that was copied would allow you to know. That drive and hash would be in the possession of the forensic analyst within a forensic environment. There would be no realistic risk of that hash being brute forced.
The answer is D because C does not preserve evidence which is what the question is asking. Sometimes you have to look for those keywords because there will usually be two or good answers.
still I think C is correct - as Legal hold triggers that processes are started to preserve data - see comptia study guide, chapter 10, evidence acquisition and preservation.
I appreciate the insight, it makes sense then. I have my test in the morning so I hope it's right lol
Hi 581777a- Just wondering if your test had most of the questions listed in here?
C. Place a legal hold on the device and the user’s network share. CertMaster Topic 8B: A legal hold, or litigation hold, describes the notification received by an organization's legal team instructing them to preserve electronically stored information (ESI) and/or paper documents that may be relevant to a pending legal case. Legal hold authority can be complicated by jurisdiction, but these details are managed by legal teams. It is imperative that the cybersecurity team be notified of legal holds as soon as possible in order to ensure data is preserved in accordance with the order. Legal hold requirements often exceed the data protection and retention periods ordinarily in place.
It only says "best step to preserve evidence" which means make a forensic image.
It appears this question is similar to whether to: A. secure the crime scene; or B. start collecting evidence. Most people choose A.
Came back to this one. SHA-1 was indeed deprecated last year (2022). C is the best option since D can be eliminated.
I'm going with D since C is an administrative process, and not an actual technical process of preserving evidence. The Legal Hold is simply an order, but it does nothing to preserve the data.