CompTIA Security Plus Mock Test Q284

Which of the following is a best practice when a mistake is made during a forensics examination?

A. The examiner should verify the tools before, during, and after an examination.
B. The examiner should attempt to hide the mistake during cross-examination.
C. The examiner should document the mistake and workaround the problem.
D. The examiner should disclose the mistake and assess another area of the disc.


Correct Answer: C
Section: Compliance and Operational Security

Explanation:
Every step in an incident response should be documented, including every action taken by end users and the incident-response team.

Incorrect Answers:
A: Verifying the tools may help prevent the occurrence of a mistake during a forensic examination by does not address the actions to be taken should a mistake be made.
B: Hiding the mistake is not advisable as it would compromise the examination and would most likely be detected during the writing of the incident report.
D: Rather than changing area of examination once the mistake has been acknowledged, ways of working around and overcoming the mistake should be taken.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 104