A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed
from the network and an image of the hard drive has been created. However, the system administrator
stated that the system was left unattended for several hours before the image was created. In the event
of a court case, which of the following is likely to be an issue with this incident?

A.
Eye Witness

B.
Data Analysis of the hard drive

C.
Chain of custody

D.
Expert Witness

Explanation:
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When
you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who
has seen it, and where it has been. The evidence must always be within your custody, or you’re open to
dispute about possible evidence tampering.
Incorrect Answers:
A: An eye witness is clearly not the issue here since it is mentioned that the system was left unattended
for several hours.
B: Data analysis of the hard drive is not the issue since in the court case the biggest problem would be
that the system in question was left unattended for several hours before the network image was taken.
D: An expert witness is not a problem in the event of a court case since the chain of custody was broken
as mentioned by the system administrator.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 448, 454
http://en.wikipedia.org/wiki/Chain_of_custody