During evidence acquisition in an incident-response investigation, which action is MOST critical for preserving the integrity and legal admissibility of the collected evidence?
Encrypting the evidence before it leaves the compromised system.
Compressing and archiving the evidence to reduce storage requirements.
Maintaining a comprehensive chain-of-custody record for every transfer of the evidence.
Re-imaging the affected system immediately after collection to restore operations.
A detailed chain-of-custody log records every person who collects, handles, stores, or transfers the evidence, along with the time, date, and circumstances of each action. This documentation proves that the evidence has not been altered or tampered with, helping ensure it is reliable and admissible in court. Encrypting, compressing, or re-imaging systems may be useful in other phases but do not, by themselves, satisfy legal requirements for evidentiary integrity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'chain of custody' mean in incident response?
Open an interactive chat with Bash
Why is the chain of custody important for legal proceedings?
Open an interactive chat with Bash
What steps are involved in maintaining the chain of custody?