A system administrator is responding to a legal order to turn over all logs from all company servers. The
system administrator records the system time of all servers to ensure that:

A.
HDD hashes are accurate.

B.
the NTP server works properly.

C.
chain of custody is preserved.

D.
time offset can be calculated.

Explanation:
It is quite common for workstation times to be off slightly from actual time, and that can happen with
servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has
happened, being able to follow events in the correct time sequence is critical. Because of this, it is
imperative to record the time offset on each affected machine during the investigation. One method of
assisting with this is to add an entry to a log file and note the time that this was done and the time
associated with it on the system.
Incorrect Answers:
A: Recording the system time of all the servers is not hoe one checks whether hashes are accurate.
B: Recording the system time of all the servers is not the way to check whether a server works properly.
C: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it.
When you begin to collect evidence, you must keep track of that evidence at all times and show who has
it, who has seen it, and where it has been. The evidence must always be within your custody, or you’re
open to dispute about possible evidence tampering. In this case the logs from all the company servers
have to be turned over which means this is not a chain of custody issue.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 453, 448