During a malware investigation, the incident-response team seizes a file server that may contain crucial evidence. Which of the following actions is REQUIRED to maintain a proper chain of custody for this server?
Immediately power on the server to capture volatile memory before imaging.
Record every individual who handles the server, the date and time, and the reason for each transfer.
Attach a detailed network topology diagram to the evidence packaging.
Encrypt the server's hard drives before removing them to prevent unauthorized access.
A valid chain of custody must establish an auditable trail for the evidence. This includes recording every individual who takes possession of the server, the exact date and time, and the reason for each hand-off. NIST and other forensic guidelines state that without this continuous, documented history, the integrity and authenticity of the evidence can be challenged in court. Encrypting drives, capturing volatile memory, or attaching network diagrams may be useful forensic steps, but they are not mandatory elements of the chain of custody record.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'chain of custody' specifically refer to in digital forensics?
Open an interactive chat with Bash
Why is documentation important in maintaining chain of custody?
Open an interactive chat with Bash
What could happen if the chain of custody is not maintained properly?