Evidence Handling and Procedures

5 minutes 5 Questions

Evidence Handling and Procedures refer to the proper identification, collection, preservation, and documentation of digital evidence to ensure its admissibility in legal proceedings. This includes understanding and following proper chain of custody protocols to preserve the integrity of the evidenc…

Guide on Evidence Handling and Procedures

Importance: Evidence Handling and Procedures form a critical part of any legal investigation in information security, particularly in situations involving breaches or potential criminal activity. Mishandled evidence can compromise cases and result in legal setbacks.

What it is: Evidence Handling and Procedures refers to the proper approach to collection, documentation, storage, and preservation of evidence in legal investigations tied to information security. This includes accurate recording of its origin, strict adherence to chain of custody protocols, and maintaining its integrity until formally required.

How it works: Evidence is first identified and then collected using forensically sound methods. It is documented meticulously, including its origin, the person collecting it, and any actions taken. The evidence is then stored and preserved securely to maintain its integrity, and a strict chain of custody is maintained to ensure it hasn't been tampered with.

How to answer questions in an exam: Familiarize yourself with core principles of evidence handling, such as the importance of the chain of custody, baseline knowledge of local legislation, and the need for proper documentation. Understand the difference between volatile and non-volatile evidence, and the appropriate methods for collecting and preserving each.

Exam Tips - Answering Questions on Evidence Handling and Procedures: Remember that maintaining the integrity of the evidence is paramount. Any hint of tampering or mishandling will render the evidence useless in a court of law. Be aware that some questions might try to trick you into selecting an answer that involves improper handling or storage techniques. Stick to the principles of strict documentation and adherence to chain of custody.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Question 1

An incident responder is performing a forensic investigation on an employee's computer. The employee is suspected of using company resources for illegal activities. What should the responder do to avoid legal issues when handling the potential evidence?

Ask the employee to provide all relevant data Follow the established chain of custody protocol Conduct a covert examination without permission Inform all coworkers of the investigation

Correct Answer: Follow the established chain of custody protocol

Following the established chain of custody protocol ensures the integrity and admissibility of evidence in court, as well as avoiding legal issues. The other actions are either invasive or can lead to legal issues.

Question 2

During a cyber crime investigation, a forensic analyst found several folders that might be relevant to the case. What is the appropriate procedure to ensure data reliability?

Move the folders to an external drive Renew the encryption scheme in the folders Create a cryptographic hash of the folders Share the folder names with colleagues for input

Correct Answer: Create a cryptographic hash of the folders

Creating a cryptographic hash of the folders will ensure the data's integrity and reliability by obtaining a unique identifier that can be compared later to ensure the data has not been altered during the investigation.

Question 3

A forensic analyst has created a backup of the evidence on a suspect's computer system. Which of the following should the analyst do next?

Delete the original evidence on the suspect's computer Examine the evidence directly on the suspect's computer Inform the suspect about the findings Perform the investigation on a copy of the backup

Correct Answer: Perform the investigation on a copy of the backup

The analyst should always perform the investigation on a copy of the backup to preserve the original evidence. Examining the evidence directly on the suspect's computer, deleting the original evidence, or sharing findings publicly can contaminate the evidence and may lead to potential legal issues.

🎓 Unlock Premium Access

CISSP + ALL Certifications

More Evidence Handling and Procedures questions

9 questions (total)