Section 9 PBQs
While investigating a potential cybercrime, a junior digital forensics specialist leaves an important hard drive in a public area overnight. A senior digital forensics specialist finds the hard drive in the morning and says that it is no longer evidence in the case. What made the hard drive unusable in court? (Select two.)
- The forensics team did not maintain the provenance of the hard drive. - The forensics team did not maintain the chain of custody.
You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court.
Chain of custody
What is the MOST important element related to evidence in addition to the evidence itself?
Chain of custody document
A CEO asks the tech department to create a console that shows day-to-day incident response and summaries of information drawn from underlying data sources. What can the tech department present to the CEO as a viable option?
Dashboards
In cybersecurity investigations, why is it crucial to ensure the admissibility of digital evidence collected from computer systems?
Due process and the fair application of laws require proper handling of digital evidence.
A lawyer is preparing a subpoena for an upcoming cybercrime case and is consulting with a digital forensics specialist. The lawyer explains the need for the ability to parse through data quickly and provide a copy of everything found to the opposing counsel. Which utility can accomplish these requests?
E-discovery
Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents. Which tool would you use to gather this information?
Legal hold
As a digital forensic analyst, you have completed an investigation and are now tasked with creating a report summarizing your findings. Which of the following principles should guide your report writing?
The evidence must not be changed or manipulated unless necessary. If it is changed or manipulated, the reasons why and process used must be recorded.
You are a digital forensic analyst working on a high-profile case. You have been given access to a variety of data sources, including dashboards, log data, and host operating system logs. You need to determine the most effective way to gather evidence for your investigation. Which of the following approaches would be the MOST effective?
Utilize all the data sources (dashboards, log data, and host operating system logs) to gather a comprehensive set of evidence.
When conducting a cybersecurity investigation, how does recording the evidence acquisition process on video help to ensure the collected evidence's integrity?
Video recording proves the evidence originated directly from the crime scene.