During the evidence-collection phase of an incident response, which activity focuses on keeping the original digital media in its unchanged state-typically by taking a forensic image, storing the original with a write-blocker, and recording cryptographic hash values so the evidence can later be shown to be identical to the original?
Preservation is the step that protects the integrity and authenticity of electronic evidence. Investigators create a bit-for-bit forensic image, apply write-blockers, calculate hashes, and secure the original media so that the data can be proven identical if it is presented in court. Chain of custody, while essential, is the documentation trail of who has handled the evidence; it does not itself prevent technical alteration. Containment and remediation are response steps aimed at stopping and cleaning up an attack, not at safeguarding evidence.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the importance of cryptographic hashes in evidence preservation?
Open an interactive chat with Bash
What are some best practices for handling digital evidence?
Open an interactive chat with Bash
What is the chain of custody, and why is it important?