CAS-003 Question #283: Real Exam Question with Answer & Explanation

The correct answer is B: Identification, Preservation, Collection, Examination, Analysis, Presentation.. B (Identification → Preservation → Collection → Examination → Analysis → Presentation) is the correct digital forensics process order. Identification comes first - you must identify what potential evidence exists before touching it. Preservation comes before collection - you must

Question

Company XYZ has experienced a breach and has requested an internal investigation be conducted by the IT Department. Which of the following represents the correct order of the investigation process?

Options

ACollection, Identification, Preservation, Examination, Analysis, Presentation.
BIdentification, Preservation, Collection, Examination, Analysis, Presentation.
CCollection, Preservation, Examination, Identification, Analysis, Presentation.
DIdentification, Examination, Preservation, Collection, Analysis, Presentation.

Explanation

B (Identification → Preservation → Collection → Examination → Analysis → Presentation) is the correct digital forensics process order. Identification comes first - you must identify what potential evidence exists before touching it. Preservation comes before collection - you must secure and protect evidence (e.g., write-block drives, isolate systems) before collecting it to ensure it is not altered or destroyed. Collection then acquires the evidence. Examination and Analysis follow to find and interpret relevant artifacts. Presentation is the final step where findings are reported. The key distinction that eliminates the other options is that preservation must occur before collection - collecting evidence without first preserving it risks contaminating or destroying it, making it inadmissible or unreliable.

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice