During an internal investigation, the incident-response team enters an unlocked conference room and discovers an abandoned company-issued laptop believed to have been used the previous night to exfiltrate source code. The device is still powered on and connected to the corporate Wi-Fi network. According to recognized digital-forensics practice, which action should the team take FIRST to ensure the laptop can later serve as reliable evidence?
Document and initiate a chain-of-custody record for the laptop
Create a forensic working copy for the investigators
Open the event logs to identify suspicious activity
Establishing and documenting the chronological record of custody is the correct first action when handling potential evidence. This documentation records who had possession of the evidence, when they had it, and what actions were performed with it. An unbroken record is essential for maintaining integrity and ensuring admissibility in legal proceedings.
Creating working copies is important but must wait until the evidence is properly documented and secured.
Performing a malware scan on the original device could alter metadata or remove data, compromising integrity.
Examining system logs directly on the laptop could modify timestamps or overwrite evidence; such analysis should occur on forensically sound images, not the original media.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is documenting the chain of custody critical in an investigation?
Open an interactive chat with Bash
What tools or techniques are used to establish a forensic chain of custody?
Open an interactive chat with Bash
How do forensic experts create working copies without compromising the original evidence?
Open an interactive chat with Bash
ISC2 CISSP
Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .