During a malware investigation, the incident-response team seizes a file server that may contain crucial evidence. Which of the following actions is REQUIRED to maintain a proper chain of custody for this server?
Attach a detailed network topology diagram to the evidence packaging.
Immediately power on the server to capture volatile memory before imaging.
Record every individual who handles the server, the date and time, and the reason for each transfer.
Encrypt the server's hard drives before removing them to prevent unauthorized access.
A valid chain of custody must establish an auditable trail for the evidence. This includes recording every individual who takes possession of the server, the exact date and time, and the reason for each hand-off. NIST and other forensic guidelines state that without this continuous, documented history, the integrity and authenticity of the evidence can be challenged in court. Encrypting drives, capturing volatile memory, or attaching network diagrams may be useful forensic steps, but they are not mandatory elements of the chain of custody record.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is meant by 'chain of custody' in digital forensics?
Open an interactive chat with Bash
Why is recording every handler in the chain of custody critical?
Open an interactive chat with Bash
How does NIST influence chain of custody practices?