CERTIFIED-IN-CYBERSECURITY Question #304: Real Exam Question with Answer & Explanation

Question

is the primary purpose of a forensic investigation during the analysis phase of an incident response?

Options

• ATo update the risk registry and minimize the impact of an incident
• BTo collect evidence and maintain its chain of custody for potential legal proceedings
• CTo identify the attacker and their motivation
• DTo document lessons learned and develop an incident response plan

Explanation

The primary purpose of a forensic investigation during the analysis phase of an incident response is to collect and preserve evidence for potential legal proceedings. This involves careful data collection and handling to ensure that the evidence remains admissible in court (ISC2 Study Guide, Module 1, under Incident Response Team). For example, if an organization's network is breached, the incident response team would conduct a forensic investigation to gather evidence of the breach. This evidence could include logs showing unauthorized access, files left by the attacker, and any changes made to the system. The team would carefully document the collection process and maintain a chain of custody for the evidence to ensure that it is securely stored and only accessed by authorized individuals. The remaining options are wrong for different reasons. First, identifying the attacker and his motivation is an important part of the incident response process, but it is not the primary purpose of a forensic investigation. Second, documenting lessons learned and developing an incident response plan are typically part of the post-incident review, not the forensic investigation. Finally, updating the risk registry and minimizing the impact of an incident is also an important part of the overall incident response process, but again, it is not the primary purpose of a forensic

No community discussion yet for this question.