Which of the following needs to be performed during a forensics investigation to ensure the data contained in a drive image has not been compromised?
A. Follow the proper chain of custody procedures.
B. Compare the image hash to the original hash.
C. Ensure a legal hold has been placed on the image.
D. Verify the time offset on the image file.
Another poorly worded question, as every other study source will tell you chain of custody but the way this question is worded makes it lean towards B. If you don’t follow chain of custody, and someone steals all the data and wipes it on the machine, SURE checking the image hash will tell you if the data changed but chain of custody will tell you who compromised the data in the first place and be vastly more helpful.