CompTIA Security Plus Mock Test Q298

A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident?

A. Eye Witness
B. Data Analysis of the hard drive
C. Chain of custody
D. Expert Witness


Correct Answer: C
Section: Compliance and Operational Security

Explanation:
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you’re open to dispute about possible evidence tampering.

Incorrect Answers:
A: An eye witness is clearly not the issue here since it is mentioned that the system was left unattended for several hours.
B: Data analysis of the hard drive is not the issue since in the court case the biggest problem would be that the system in question was left unattended for several hours before the network image was taken.
D: An expert witness is not a problem in the event of a court case since the chain of custody was broken as mentioned by the system administrator.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 448, 454
http://en.wikipedia.org/wiki/Chain_of_custody