What are two differences in how tampered and untampered disk images affect a security incident?

What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
A. Untampered images are used in the security investigation process
B. Tampered images are used in the security investigation process
C. The image is tampered if the stored hash and the computed hash match
D. Tampered images are used in the incident recovery process
E. The image is untampered if the stored hash and the computed hash match

cisco-exams

3 thoughts on “What are two differences in how tampered and untampered disk images affect a security incident?

    1. This a confusing question and Both A and B can be correct.

      1- Untampered ( Orignal ) are never used and Kept in Custody. Chain of custody , else its null and void.
      2- A Copy of Original ( Untamper ) image is used to play with the evidence. All tempering is happening on replicas and not on originals.
      Special Equipment is used to make replica of originals so that even one bit is not changed.

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.