A company executive’s laptop was compromised, leading to a security breach. The laptop was placed into storage by a junior system administrator and was subsequently wiped and re-imaged. When it was determined that the authorities would need to be involved, there was little evidence to present to the investigators. Which of the following procedures could have been implemented to aid the authorities in their investigation?
A. A comparison should have been created from the original system’s file hashes
B. Witness testimony should have been taken by the administrator
C. The company should have established a chain of custody tracking the laptop
D. A system image should have been created and stored