The security manager received a report that an employee was involved in illegal activity and has saved
data to a workstation’s hard drive. During the investigation, local law enforcement’s criminal division
confiscates the hard drive as evidence. Which of the following forensic procedures is involved?

A.
Chain of custody

B.
System image

C.
Take hashes

D.
Order of volatility

Explanation:
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When
you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who
has seen it, and where it has been.
Incorrect Answers:
B: A system image is a snapshot of what exists. Capturing an image of the operating system in its
exploited state can be helpful in revisiting the issue after the fact to learn more about it. In this case the
evidence has been confiscated which means that the chain of custody comes into the procedure that was
followed.
C: Taking hashes is part of collecting data to be able to liiustrate the situation if the need arises. In this
case evidence has been confiscated and the chain of custody becomes the important issue.
D: Act in Order of Volatility is of importance when dealing with multiple issues. Then you should address
them in order of volatility (OOV); always deal with the most volatile first. In this case there is only one
incident and one piece of evidence that has been confiscated which means that the chain of custody
must be observed.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 448, 453, 454