You work in a police department forensics lab where you examine computers for evidence of crimes. Your workis vital to the success of the prosecution of criminals.
One day you receive a laptop and are part of a two man team responsible for examining it together. However, it
is lunch time and after receiving the laptop you leave it on your desk and you both head out to lunch.
What critical step in forensic evidence have you forgotten?

A.
Chain of custody

B.
Locking the laptop in your desk

C.
Making a disk image for examination

D.
Cracking the admin password with chntpw

Explanation:
By leaving the laptop, which contains unique data, unguarded, you cannot guarantee that the data on it remain
untampered. This breaks the chain of custody.
When evidence is seized, it is important to make sure a proper chain of custody is maintained to ensure any
data collected can later be properly and accurately represented in case it needs to be used for later events such
as criminal proceedings or a successful prosecution.
Incorrect Answers:
B: Locking the desktop to the desktop would not protect the data on it from being changed.
C: It is a good idea to make a disk image of the Laptop, but the critical step here is to ensure that the laptop is
preserved. By leaving it alone the chain of custody is broken.
D: Cracking the admin password is not vital for the forensic investigation.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 248