Computer evidence at a crime scene is documented with a tag stating who had possession of the
evidence at a given time.
Which of the following does this illustrate?

A.
System image capture

B.
Record time offset

C.
Order of volatility

D.
Chain of custody

Explanation:
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When
you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who
has seen it, and where it has been.Incorrect Answers:
A: A system image is a snapshot of what exists. Capturing an image of the operating system in its
exploited state can be helpful in revisiting the issue after the fact to learn more about it.
B: Record Time Offset – It is quite common for workstation times to be off slightly from actual time, and
that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step
account of what has happened, being able to follow events in the correct time sequence is critical.
Because of this, it is imperative to record the time offset on each affected machine during the
investigation.
C: Act in Order of Volatility is of importance when dealing with multiple issues. Then you should address
them in order of volatility (OOV); always deal with the most volatile first.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 448, 453
http://en.wikipedia.org/wiki/Chain_of_custody