What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)

What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
A . Untampered images are used in the security investigation process
B . Tampered images are used in the security investigation process
C . The image is tampered if the stored hash and the computed hash match
D . Tampered images are used in the incident recovery process
E . The image is untampered if the stored hash and the computed hash match

View Answer

Answer: A, E

Explanation:

Untampered images are crucial for security investigations as they provide original evidence that has not been altered or corrupted; their integrity and authenticity can be verified by comparing the stored hash and the computed hash of the image. If they match, the image is untampered and can be used for analysis. Tampered images, on the other hand, are useless for security investigations as they may contain false or misleading information; their integrity and authenticity are compromised by the modification of the image data. Tampered images may be used for incident recovery purposes, such as restoring a system to a previous state, but not for forensic purposes.

Reference: = Cisco Cybersecurity Operations Fundamentals – Module 6: Security Incident Investigations