An analyst is responsible for collecting hard drives from compromised systems after a security breach to facilitate a forensic investigation. Which of the following best ensures that the integrity of the evidence is maintained and admissible in court?
Using standardized forms to document who accessed the evidence, the date/time of access, and the purpose of handling, each time the evidence is handled.
Quickly acquiring the evidence before it can be tampered with by unauthorized personnel.
Marking the hard drives with identification tags that include a case number and the date of acquisition.
Ensuring that the evidence is stored in a secure location with restricted access.
Using standardized forms to meticulously document evidence handling, from acquisition through to analysis, maintains the chain of custody. Each interaction with the evidence is recorded (who accessed it, when, where, and why), preserving its admissibility in legal proceedings because it demonstrates a controlled and transparent handling process. Storing evidence in a secure location is important but doesn't maintain the chain of custody on its own. Simply acquiring evidence quickly or marking the hard drives without proper documentation fails to establish a verifiable trail of evidence handling.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the 'chain of custody' in forensic investigations?
Open an interactive chat with Bash
What standardized forms are typically used for documenting evidence handling?
Open an interactive chat with Bash
Why is it important to secure evidence in a location with restricted access?