nerdexam
GIAC

GCFA · Question #21

GCFA Question #21: Real Exam Question with Answer & Explanation

The correct answer is A. Preserve the email server including all logs.. In digital forensics, preserving the original email server and its logs is the most critical first step for maintaining chain of custody, as it protects the integrity and completeness of all primary evidence.

Question

You company suspects an employee of sending unauthorized emails to competitors. These emails are alleged to contain confidential company data. Which of the following is the most important step for you to take in preserving the chain of custody?

Options

  • APreserve the email server including all logs.
  • BMake copies of that employee's email.
  • CSeize the employee's PC.
  • DPlace spyware on the employee's PC to confirm these activities.

Explanation

In digital forensics, preserving the original email server and its logs is the most critical first step for maintaining chain of custody, as it protects the integrity and completeness of all primary evidence.

Common mistakes.

  • B. Copying only the employee's mailbox is insufficient because it omits server-side logs, metadata, and messages that may have been locally deleted but still reside on the server.
  • C. Seizing the employee's PC alone would miss server-side email artifacts and logs that are essential to proving the activity occurred.
  • D. Installing spyware without proper legal authorization is itself illegal and would contaminate the chain of custody, likely rendering all gathered evidence inadmissible in court.

Concept tested. Digital forensics chain of custody for email evidence

Reference. https://www.nist.gov/publications/guide-integrating-forensic-techniques-incident-response

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCFA Practice