CompTIA CASP+ Exam: Best Practices for Preserving Digital Evidence

Best Practices for Preserving Digital Evidence

Question

During a security event investigation, a junior analyst fails to create an image of a server's hard drive before removing the drive and sending it to the forensics analyst.

Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering.

Which of the following should the junior analyst have followed?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

https://www.computer-forensics-recruiter.com/order-of-volatility/

The correct answer to the question is B. Chain of custody.

Chain of custody is a set of procedures that ensure the integrity and authenticity of physical evidence. These procedures are used to maintain the evidence's integrity from the moment it is discovered until the moment it is presented in court. The chain of custody establishes a clear and documented history of the evidence, from its collection to its presentation in court. This ensures that the evidence can be used in court and is not contaminated or tampered with.

In this scenario, the junior analyst failed to follow the chain of custody by not creating an image of the server's hard drive before removing it and sending it to the forensics analyst. This failure could have resulted in the evidence's contamination or tampering, rendering it inadmissible in court.

Continuity of operations (A) is a set of procedures and plans that ensure the continued operation of an organization during and after a disruption or disaster. It is not directly related to the collection and preservation of physical evidence.

Order of volatility (C) refers to the order in which volatile data is collected and preserved in a forensic investigation. It is important to collect volatile data first because it can be lost or altered quickly. However, it is not directly related to the chain of custody.

Data recovery (D) is the process of retrieving data that has been lost due to hardware or software failure, human error, or malicious activity. It is not directly related to the collection and preservation of physical evidence.

In conclusion, the junior analyst should have followed the chain of custody procedures to ensure the integrity and authenticity of the evidence collected.