An organization has discovered suspicious activity suggesting a potential breach of their financial database. As part of the incident response, the analyst must ensure the admissibility of logs as evidence. What is the most appropriate step for the analyst to take immediately after isolating the affected system to ensure that the logs can be used for legal proceedings?
Create a detailed procedure log for the incident response steps taken
Apply secure time-stamping protocols to the logs to prevent future alterations
Generate and document cryptographic hashes of the logs to ensure their integrity
Encrypt the logs with a public key to secure the contents from unauthorized access
The use of hashing to generate cryptographic checksums of the original logs ensures that any modifications to the logs after the fact can be detected, and thus supports the argument for evidence integrity in legal scenarios. Time-stamping logs alone does not provide a mechanism to detect subsequent changes. While encrypting log files provides confidentiality, it does not in itself validate the integrity of the logs from the point of creation. Documenting the incident response process is crucial, but it is not a step that directly relates to the preservation of log integrity for legal proceedings.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are cryptographic hashes and how do they work?
Open an interactive chat with Bash
Why is it important to ensure the integrity of logs in legal proceedings?
Open an interactive chat with Bash
What are the limitations of using time-stamping for logs?