What are essential elements of evidence chain of custody during incident response?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

What are essential elements of evidence chain of custody during incident response?

Explanation:
Maintaining a proper chain of custody is about documenting every step the evidence takes from collection to presentation so its integrity and origin can be trusted. The essential elements include recording who collected the evidence, when it was collected, and where it is stored, along with how access is controlled and how any transfers are handled. You capture each handoff with dates, times, and who is involved, and you use secure, controlled storage with tamper-evident measures and clear access controls so only authorized personnel can reach it. To preserve integrity, you generate and compare hash values or checksums at collection and after every transfer, using trusted tools and audit logs to verify the item hasn’t been altered. This combination makes the evidence auditable and defensible, which is crucial for accurate reconstruction of the incident and, if needed, legal admissibility. Other options don’t fit because they omit critical pieces: storage details matter for integrity and traceability, not just a signature; keeping only a receipt doesn’t address ongoing custody, transfer records, or integrity verification; and limiting chain-of-custody to legal holds misses the broader, practical need to document handling and verification throughout an investigation.

Maintaining a proper chain of custody is about documenting every step the evidence takes from collection to presentation so its integrity and origin can be trusted. The essential elements include recording who collected the evidence, when it was collected, and where it is stored, along with how access is controlled and how any transfers are handled. You capture each handoff with dates, times, and who is involved, and you use secure, controlled storage with tamper-evident measures and clear access controls so only authorized personnel can reach it. To preserve integrity, you generate and compare hash values or checksums at collection and after every transfer, using trusted tools and audit logs to verify the item hasn’t been altered. This combination makes the evidence auditable and defensible, which is crucial for accurate reconstruction of the incident and, if needed, legal admissibility.

Other options don’t fit because they omit critical pieces: storage details matter for integrity and traceability, not just a signature; keeping only a receipt doesn’t address ongoing custody, transfer records, or integrity verification; and limiting chain-of-custody to legal holds misses the broader, practical need to document handling and verification throughout an investigation.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy