220-801 · Question #263
220-801 Question #263: Real Exam Question with Answer & Explanation
The correct answer is C: Document the customer and technician's names, what was received, and the time. When receiving potential evidence, the technician must immediately establish chain of custody by documenting the names of all parties involved, a description of what was received, and the exact date and time of receipt. This legal documentation proves who had control of the evide
Question
Options
- ARecord what the user experienced, the times they experienced it and the effects of the breach
- BImage the drive and create a drive hash to prove the contents were not changed in transit
- CDocument the customer and technician's names, what was received, and the time
- DRemove the hard drives as they will be installed into a PC on a "Safe LAN" in the corporate office
Explanation
When receiving potential evidence, the technician must immediately establish chain of custody by documenting the names of all parties involved, a description of what was received, and the exact date and time of receipt. This legal documentation proves who had control of the evidence at every step and is foundational to any forensic investigation. Option A (recording user experience) is the user's responsibility before handoff, not the technician's first action. Option B (imaging the drive) is an investigative step performed at the forensic lab, not in the field during pickup. Option D (removing drives) risks damaging evidence and breaks proper handling procedures.
Community Discussion
No community discussion yet for this question.