Which of the following would be MOST appropriate for collecting and preserving evidence?

A.
Encrypted hard drives

B.
Generic audit software

C.
Proven forensic processes

D.
Log correlation software

Explanation:

When collecting evidence about a security incident, it is very important to follow appropriate
forensic procedures to handle electronic evidence by a method approved by local jurisdictions. All
other options will help when collecting or preserving data about the incident; however these data
might not be accepted as evidence in a court of law if they are not collected by a method approved
by local jurisdictions.