Exam 220-1102 topic 1 question 26 discussion

It's B https://www.professormesser.com/free-a-plus-training/220-1102/220-1102-video/privacy-licensing-and-policies-220-1102/

husbulla the goat

I chose this answer because cloning the drives creates copies of the drive which preserves the data, encrypting the files will protect the data but cloning them preserves data in case the data is destroyed.

bit-for-bit copy or a byte-for-byte copy( CLONE) will preserve the evidence.

B. Clone any impacted hard drives

B And as the first responder, you may be responsible for collecting any evidence and ensuring that no evidence is destroyed during this process. It’s very common when collecting this evidence to get a copy of any storage drives. When taking this evidence, we’re not simply copying the files, we’re copying every single bit of information from that storage drive. You’ll sometimes hear this referred to as a bit-for-bit copy or a byte-for-byte copy. That means you’re not only collecting all of the files, you’re also collecting anything else that might be on that storage device. We’ll sometimes perform this drive copy by physically removing the drive from the device. We will then connect it to a hardware write blocker that would prevent anything from changing the data that’s on that storage drive. We can then make a copy of that drive by using a hardware copying device or by using software imaging tools that can create the copy for us Professor ¨GOD¨ Messer

B because you can't tamper with evidence. Cloning is the only option.

Wouldn't the answer be "A"? Since the incident handler would want to "preserve the evidence"?