Which of the following dictates that all evidence be labeled with information indicating who secured and validated it?

A.
Chain of custody

B.
Due care

C.
Investigation

D.
Motive, Opportunity, and Means

Explanation:
A: A crucial piece in the digital forensics process is keeping a proper chain of custody of the evidence. Because evidence from these types of crimes can
be very volatile and easily dismissed from court due to improper handling, it is important to follow very strict and organized procedures when collecting and
tagging evidence in every single case. Furthermore, the chain of custody should follow evidence through its entire life cycle, beginning with identification
and ending with its destruction, permanent archiving, or return to owner. When copies of data need to be made, this process must meet certain standards
to ensure quality and reliability. Specialized software for this purpose can be used. The copies must be able to be independently verified and must be
tamperproof. Each piece of evidence should be marked in some way with the date, time, initials of the collector, and a case number if one has been
assigned. The piece of evidence should then be sealed in a container, which should be marked with the same information. The container should be sealed
with evidence tape, and if possible, the writing should be on the tape so that a broken seal can be detected.
B is incorrect because due care means to carry out activities that a reasonable person would be expected to carry out in the same situation. In short,
due care means that a company practiced common sense and prudent management, and acted responsibly. If a company does not practice due care in its
efforts to protect itself from computer crime, it can be found negligent and legally liable for damages. A chain of custody, on the other hand, is a history that
shows how evidence was collected, analyzed, transported, and preserved in order to be presented in court. Because electronic evidence can be easily
modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.
C is incorrect because investigation involves the proper collection of relevant data during the incident response process and includes analysis,
interpretation, reaction, and recovery. The goals of this stage are to reduce the impact of the incident, identify the cause of the incident, resume operations
as soon as possible, and apply what was learned to prevent the incident from recurring. It is also at this stage where it is determined whether a forensics
investigation will take place. The chain of custody dictates how this material should be properly collected and protected during its life cycle of being
evidence.
D is incorrect because Motive, Opportunity, and Means is a strategy used to understand why a crime was carried out and by whom. This is the same
strategy used to determine the suspects in a traditional, noncomputer crime. Motive is the “who” and “why” of a crime. Understanding the motive for a
crime is an important piece in figuring out who would engage in such an activity. For example, many hackers attack big-name sites because when the sites
go down, it is splashed all over the news. However, once these activities are no longer so highly publicized, the individuals will eventually stop initiating
these types of attacks because their motive will have been diminished. Opportunity is the “where” and “when” of a crime. Opportunities usually arise when
certain vulnerabilities or weaknesses are present. If a company does not have a firewall, hackers and attackers have all types of opportunities within that
network. Once a crime fighter finds out why a person would want to commit a crime (motive), she will look at what could allow the criminal to be successful
(opportunity). Means pertains to the capabilities a criminal would need to be successful. Suppose a crime fighter was asked to investigate a complex
embezzlement that took place within a financial institution. If the suspects were three people who knew how to use a mouse, a keyboard, and a word
processing application, but only one of them was a programmer and system analyst, the crime fighter would realize that this person may have the means to
commit this crime much more successfully than the other two individuals.