A cybersecurity analyst has just seized a laptop believed to have been used in a significant data breach. The organization's legal department has indicated a high probability of future litigation. The analyst needs to transport the device to a forensic lab for analysis. Which of the following actions is most critical for ensuring the evidence is admissible in court?
Initiate and meticulously document the chain of custody, starting from the moment of seizure.
Create a full disk image of the laptop on-site before transportation.
Encrypt the laptop's hard drive to protect the data during transport.
Immediately disconnect the laptop from the network and power it down to prevent further compromise.
The correct action is to initiate and document the chain of custody. A chain of custody is the chronological documentation that records the sequence of custody, control, transfer, analysis, and disposition of evidence. To ensure evidence is admissible in legal proceedings, a complete and unbroken chain of custody must be maintained from the moment of seizure. While creating a disk image is a vital part of forensic preservation, its value can be nullified if the chain of custody for the original device is not established first. Disconnecting the device from the network is a containment step that should have been performed, but it does not ensure legal admissibility after the fact. Encrypting the original evidence is improper as it modifies the data.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the key steps to maintaining a chain of custody?
Open an interactive chat with Bash
Why is maintaining the integrity of evidence critical during an investigation?
Open an interactive chat with Bash
What tools or methods are commonly used to secure evidence during the chain of custody?