A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from
the network and an image of the hard drive has been created. However, the system administrator stated that
the system was left unattended for several hours before the image was created. In the event of a court case,
which of the following is likely to be an issue with this incident?
Data Analysis of the hard drive
Chain of custody
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you
begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen
it, and where it has been. The evidence must always be within your custody, or you’re open to dispute about
possible evidence tampering.