What is the recommended handling of the original evidence after creating copies and hashes?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Digital Forensics, Investigation, and Response Test. Study with multiple choice questions that include hints and explanations. Enhance your understanding of digital forensics principles and get ready for your exam!

Multiple Choice

What is the recommended handling of the original evidence after creating copies and hashes?

Explanation:
Preserving evidence integrity and maintaining a solid chain of custody require that the original media remain unchanged after imaging and hashing. Once you’ve created verified copies and computed hash values, those hashes prove the copies are exact reproductions of the original, so any modification to the original could invalidate the evidence and undermine admissibility. Therefore, the original should be left untouched and stored securely—in a controlled environment with tamper-evident seals, strict access controls, and proper logging. Keeping the original connected to a live system risks ongoing changes and potential tampering. Using the original for further testing in the field risks altering data. Erasing it would destroy the evidence entirely. In short, the best practice is to leave the original untouched and store it securely.

Preserving evidence integrity and maintaining a solid chain of custody require that the original media remain unchanged after imaging and hashing. Once you’ve created verified copies and computed hash values, those hashes prove the copies are exact reproductions of the original, so any modification to the original could invalidate the evidence and undermine admissibility. Therefore, the original should be left untouched and stored securely—in a controlled environment with tamper-evident seals, strict access controls, and proper logging.

Keeping the original connected to a live system risks ongoing changes and potential tampering. Using the original for further testing in the field risks altering data. Erasing it would destroy the evidence entirely. In short, the best practice is to leave the original untouched and store it securely.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy