During an incident response, a forensics team has retrieved vital data logs that may indicate the nature of a security breach. Which of the following options represents the BEST practice to maintain the integrity of these data logs as legal evidence?
You selected this option
Log the time of retrieval and storage of the data logs without recording which individuals had access to the evidence.
You selected this option
Rely on automated timestamps logged by the system to record when the data logs have been accessed or modified.
You selected this option
Utilize the existing access control systems to ensure only authorized personnel can access the stored data logs without documenting individual access instances.
You selected this option
Document every individual who has handled the evidence, including detailed timestamps and the purpose of each contact, from the moment of retrieval to the final storage of the logs.
Documenting every individual who has handled the evidence along with the date, time, and purpose of the contact is the correct answer because it creates a chronological record of the custody, control, transfer, analysis, and disposition of the evidence. This level of detail is necessary to demonstrate to a court or other authority that the evidence has been controlled and maintained without alteration or tampering. Simply logging the retrieval and storage does not provide a comprehensive chain of custody. Using timestamps alone does not identify the custodians, and relying on access control systems does not account for the manual transfer or analysis done by personnel.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the chain of custody in forensic evidence handling?
Open an interactive chat with Bash
Why is documenting individuals who handle evidence important for legal proceedings?
Open an interactive chat with Bash
What role does documentation play in incident response and forensics?