nerdexam
ExamsCAS-003Questions#412
CompTIA

CAS-003 · Question #412

CAS-003 Question #412: Real Exam Question with Answer & Explanation

The correct answer is A: Follow chain of custody best practices. Digital forensics evidence admissibility requires maintaining an unbroken chain of custody and performing all analysis on a verified forensic image rather than the original media to prevent tampering claims.

Question

During a criminal investigation, the prosecutor submitted the original hard drive from the suspect's computer as evidence. The defense objected during the trial proceedings, and the evidence was rejected. Which of the following practices should the prosecutor's forensics team have used to ensure the suspect's data would be admissible as evidence? (Select TWO.)

Options

  • AFollow chain of custody best practices
  • BCreate an identical image of the original hard drive, store the original securely, and then perform
  • CUse forensics software on the original hard drive and present generated reports as evidence
  • DCreate a tape backup of the original hard drive and present the backup as evidence
  • ECreate an exact image of the original hard drive for forensics purposes, and then place the

Explanation

Digital forensics evidence admissibility requires maintaining an unbroken chain of custody and performing all analysis on a verified forensic image rather than the original media to prevent tampering claims.

Common mistakes.

  • C. Running forensics software directly on the original hard drive risks altering file system metadata, access timestamps, or slack space, which can invalidate the evidence and provides grounds for a defense to argue the data was modified.
  • D. A tape backup does not create a sector-by-sector identical image, may skip system areas and unallocated space, and lacks cryptographic hash verification needed to prove the copy is forensically identical to the original.
  • E. Creating a forensic image alone is necessary but insufficient without also maintaining chain of custody documentation - both practices together are required for evidence to be admissible in court.

Concept tested. Digital forensics evidence preservation and chain of custody

Reference. https://csrc.nist.gov/publications/detail/sp/800-86/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice