During evidence acquisition in an incident-response investigation, which action is MOST critical for preserving the integrity and legal admissibility of the collected evidence?
Maintaining a comprehensive chain-of-custody record for every transfer of the evidence.
Re-imaging the affected system immediately after collection to restore operations.
Encrypting the evidence before it leaves the compromised system.
Compressing and archiving the evidence to reduce storage requirements.
A detailed chain-of-custody log records every person who collects, handles, stores, or transfers the evidence, along with the time, date, and circumstances of each action. This documentation proves that the evidence has not been altered or tampered with, helping ensure it is reliable and admissible in court. Encrypting, compressing, or re-imaging systems may be useful in other phases but do not, by themselves, satisfy legal requirements for evidentiary integrity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a chain-of-custody record?
Open an interactive chat with Bash
Why is encryption not the primary method for preserving evidence integrity?