CompTIA Security Plus Mock Test Q300

Which of the following is the MOST important step for preserving evidence during forensic procedures?

A. Involve law enforcement
B. Chain of custody
C. Record the time of the incident
D. Report within one hour of discovery

Correct Answer: B
Section: Compliance and Operational Security

Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you’re open to dispute about possible evidence tampering. Thus to preserve evidence during a forensic procedure the chain of custody is of utmost importance.

Incorrect Answers:
A: Law enforcement can only come to fruition if the chain of custody is properly observed.
C: Recording the time of the incident is part of the forensic procedure and not necessarily the preservation of evidence.
D: Reporting an incident an hour after discovery violates the Acting in Oder of Volatility measures.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 448