When referring to a computer crime investigation, which of the following would be the MOST important step
required in order to preserve and maintain a proper chain of custody of evidence:

A.
Evidence has to be collected in accordance with all laws and all legal regulations.

B.
Law enforcement officials should be contacted for advice on how and when to collect critical information.

C.
Verifiable documentation indicating the who, what, when, where, and how the evidence was handled should
be available.

D.
Log files containing information regarding an intrusion are retained for at least as long as normal business
records, and longer in the case of an ongoing investigation.

Explanation:
A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in
order to be presented in court. Because electronic evidence can be easily modified, a clearly defined chain of
custody demonstrates that the evidence is trustworthy.
Incorrect Answers:
A: The legal aspect is not the most important factor to chain of custody. A history of how the evidence was
handled is more important.
B: When evidence is collected contact and advice from law enforcement officials. A history of how the evidence
was handled is more important.
D: Specifics of how to handle log files are not the most critical factor to establish a chain of custody. . A history
of how the evidence was handled is more important.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1050