When referring to a computer crime investigation, which of the following would be the MOST important step required in order to preserve and maintain a proper chain of custody of evidence:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Two concepts that are at the heart of dealing effectively with digital/electronic evidence, or any evidence for that matter, are the chain of custody and authenticity/ integrity.
The chain of custody refers to the who, what, when, where, and how the evidence was handledfrom its identification through its entire life cycle, which ends with destruction or permanent archiving.
Any break in this chain can cast doubt on the integrity of the evidence and on the professionalism of those directly involved in either the investigation or the collection and handling of the evidence.
The chain of custody requires following a formal process that is well documented and forms part of a standard operating procedure that is used in all cases, no exceptions.
The following are incorrect answers: Evidence has to be collected in accordance with all laws and legal regulations.
Evidence would have to be collected in accordance with applicable laws and regulations but not necessarily with ALL laws and regulations.Only laws and regulations that applies would be followed.
Law enforcement officials should be contacted for advice on how and when to collect critical information.It seems you failed to do your homework,once you have an incident it is a bit late to do this.Proper crime investigation as well as incident response is all about being prepared ahead of time.Obviously, you are improvising if you need to call law enforcement to find out what to do.It is a great way of contaminating your evidence by mistake if you don't have a well documented processs with clear procedures that needs to be followed.
Log files containing information regarding an intrusion are retained for at least as long as normal business records, and longer in the case of an ongoing investigation.Specific legal requirements exists for log retention and they are not the same as normal business records.Laws such as Basel, HIPPAA, SOX, and others has specific requirements.
Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21)
Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 23465-23470)
Auerbach Publications.
Kindle Edition.
and ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 282-285).
When it comes to a computer crime investigation, preserving and maintaining a proper chain of custody of evidence is critical to ensure that the evidence collected is admissible in a court of law. A proper chain of custody refers to the documented history of the movement of evidence from the point of collection to presentation in a court of law.
Out of the options given, the most important step required to preserve and maintain a proper chain of custody of evidence is to have verifiable documentation indicating the who, what, when, where, and how the evidence was handled. This documentation is critical because it provides a clear record of who handled the evidence, when it was collected, where it was collected, how it was collected, and how it was stored and transferred between different individuals or organizations. This documentation is necessary to ensure the integrity and authenticity of the evidence and to demonstrate that it has not been tampered with or altered in any way.
Although all of the options are important, option C is the most critical as it ensures that the evidence can be traced from the point of collection to the courtroom. Evidence must be collected in accordance with all laws and legal regulations, and law enforcement officials should be contacted for advice on how and when to collect critical information. Log files containing information regarding an intrusion should also be retained for at least as long as normal business records and longer in the case of an ongoing investigation, but this is not as critical as having verifiable documentation of how the evidence was handled.
In summary, the most important step to preserve and maintain a proper chain of custody of evidence in a computer crime investigation is to have verifiable documentation indicating the who, what, when, where, and how the evidence was handled. This documentation ensures the integrity and authenticity of the evidence and demonstrates that it has not been tampered with or altered in any way.