GCIH Question #693: Real Exam Question with Answer & Explanation

The correct answer is C: Date and time the evidence was initially collected. A Chain of Custody (CoC) document has two main sections: a header (containing identifying metadata about the evidence item) and a possession log (a chronological record of every person who handled the evidence). The date and time of initial collection is the one data point that a

Incident Response & Cyber Kill Chain

Question

What information is commonly found in both the header and the possession log of a Chain of Custody?

Options

ADate and time the evidence was requested by the court
BDate and time the evidence was checked into evidence locker
CDate and time the evidence was initially collected
DDate and time the evidence is classified as reliable

Explanation

A Chain of Custody (CoC) document has two main sections: a header (containing identifying metadata about the evidence item) and a possession log (a chronological record of every person who handled the evidence). The date and time of initial collection is the one data point that anchors the entire document - it must appear in the header as part of the evidence description and again as the first entry in the possession log. The court request date (A) and evidence-locker check-in time (B) are possession-log events that do not appear in the header. 'Classified as reliable' (D) is not a standard Chain of Custody field at all.

Topics

#chain of custody#digital forensics#evidence handling#incident documentation

Community Discussion

No community discussion yet for this question.

Full GCIH Practice