An incident response analyst has collected several hard drives from systems involved in a security breach. To support a potential forensic investigation and legal action, which of the following is the MOST critical activity for ensuring the evidence is admissible in court?
Creating bit-for-bit forensic images of the drives using a hardware write-blocker to prevent alteration of the original evidence.
Maintaining a complete chain-of-custody log that documents every person who handled the evidence, the date/time of access, and the actions performed.
Sealing each hard drive in a uniquely numbered, tamper-evident bag labeled with the case number and collection date.
Transporting the evidence to a secure, access-controlled forensic lab immediately after collection.
Maintaining a complete chain-of-custody log is the most critical activity for ensuring evidence is admissible in court. This log creates an auditable trail documenting every person who handled the evidence, when and why, proving its integrity from collection to presentation. While creating forensic images, using tamper-evident bags, and secure transport are all essential steps in the evidence handling process, the chain-of-custody documentation is what validates and provides the legal foundation for all of those other activities. Without it, the integrity of the evidence, regardless of how well it was physically handled, can be successfully challenged.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is a chain-of-custody log so important for evidence admissibility?
Open an interactive chat with Bash
What additional information should be included in a chain-of-custody log?
Open an interactive chat with Bash
How do tamper-evident bags and secure transport relate to the chain of custody?