Question

During a security event investigation, a junior analyst fails to create an image of a server's hard drive before removing the drive and sending it to the forensics analyst. Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering.

Which of the following should the junior analyst have followed?

A. Continuity of operations
B. Chain of custody
C. Order of volatility
D. Data recovery

Answer 1

The junior analyst should have followed the chain of custody to ensure the integrity of the hard drive evidence. Failing to do so led to the evidence being unusable in prosecution due to possible tampering concerns.

Step-by-step explanation:

The junior analyst should have followed the principle of chain of custody during the security event investigation. The chain of custody involves a chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. When evidence handling does not follow a well-documented chain of custody, the integrity of the evidence may come into question, leading to its possible disqualification in legal contexts due to uncertainty around tampering or alteration.

It is crucial to maintain a clear timeline of events when dealing with evidence- from its collection to its analysis. This includes documenting who has access to it and when, ensuring that the evidence remains intact and unchanged, aside from the necessary forensic analysis. Without this, as seen in the case of the server's hard drive, evidence might be deemed unusable.