Exam CS0-003 topic 1 question 92 discussion

Read the question, "An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?" The focus is the laptop. We need to image it and hash the image. The answer cant be legal hold as there is not regulatory or legal invoked. It says he misused the laptop, no detail was given to how it was misused. There are a number of things he could have been doing which would have been against company policy, but would not have triggered a legal hold. There is nothing to indicate there is potential litigation pending.

This approach ensures that a complete and exact copy of all the data on the device is made, which is essential for a forensic investigation. The SHA-1 hash is used to verify the integrity of the data, ensuring that the forensic image is an exact, unaltered copy of the original data. This is critical for legal and investigative purposes, as it ensures the admissibility of the evidence in any potential legal proceedings.

Correct Answer: D. Analysis: Making a forensic image of the device and creating a SHA-1 hash is the best step to preserve evidence. This process ensures that a bit-by-bit copy of the device is taken, preserving the original state of the data for future analysis and investigation. The SHA-1 hash provides a cryptographic verification that the copy is identical to the original, which is crucial for maintaining the integrity of the evidence.

since they mentioned that the employee was suspended. They are indicating that he will no longer be using his machine until the investigation is done. C sounds about right.

Question is not asking for first step nor gave any details into the nature of the misuse. It just what asked is the step to preserve evidence. The only step that guarantees the evidence is preserved and not tampered with is D (one can check for tampering with hashes, even if it is an outdated one).

Even with SHA-1 being old this is the best answer available. There would be no reason to put a legal hold on the laptop as it is the property of the company and would be returned or confiscated anyways. A legal hold would make more sense if it mentioned they had a BYOD policy and the user was using their' own laptop.

Forensic imaging. Do not focus on the laptop. Focus on the question.

The SHA-1 part is weird, but C can not actually stop a user from making changes until the laptop is seized, so that is why I chose D.

Sha1 is very old is not advised to be used as it is very insecure...

C. Place a legal hold on the device and the user’s network share. CertMaster Topic 8B: A legal hold, or litigation hold, describes the notification received by an organization's legal team instructing them to preserve electronically stored information (ESI) and/or paper documents that may be relevant to a pending legal case. Legal hold authority can be complicated by jurisdiction, but these details are managed by legal teams. It is imperative that the cybersecurity team be notified of legal holds as soon as possible in order to ensure data is preserved in accordance with the order. Legal hold requirements often exceed the data protection and retention periods ordinarily in place.

It only says "best step to preserve evidence" which means make a forensic image.

NIST recommended SHA-1 should be phased out by Dec. 31, 2030 as far as I know this question doesnt mention taking place in the future. SHA-1 would be a problem here if there was a hashed password that they were trying to secure. There isnt one, so thats not even the problem being addressed here. Also what if the user has a logic bomb that says "if i dont log in to my network share account in X amount of time, just wipe my account." Now while the law is creeping slowly toward a resolution that account is being wiped. I argue that one should forensically copy that persons device and their storage on the network share drive hash it. Im gonna argue for D on this one, however im open to the wisdom/counter arguments of others.

It appears this question is similar to whether to: A. secure the crime scene; or B. start collecting evidence. Most people choose A.

Came back to this one. SHA-1 was indeed deprecated last year (2022). C is the best option since D can be eliminated.

SHA-1 was deprecated for use by NIST.

I'm going with D since C is an administrative process, and not an actual technical process of preserving evidence. The Legal Hold is simply an order, but it does nothing to preserve the data.

The answer is D because C does not preserve evidence which is what the question is asking. Sometimes you have to look for those keywords because there will usually be two or good answers.