SY0-501 · Question #558
SY0-501 Question #558: Real Exam Question with Answer & Explanation
The correct answer is B: preserve the data.. When forensic evidence is captured, documented, and securely stored, the primary objective is to preserve the integrity and original state of the data for future analysis.
Question
A security analyst captures forensic evidence from a potentially compromised system for further investigation. The evidence is documented and securely stored to FIRST:
Options
- Amaintain the chain of custody.
- Bpreserve the data.
- Cobtain a legal hold.
- Drecover data at a later time.
Explanation
When forensic evidence is captured, documented, and securely stored, the primary objective is to preserve the integrity and original state of the data for future analysis.
Common mistakes.
- A. Maintaining the chain of custody is a crucial subsequent process that tracks access to the evidence, but it relies on the data first being properly preserved in its original state.
- C. Obtaining a legal hold is a legal directive to retain relevant information, which is distinct from the immediate technical action of securely storing physical evidence for preservation.
- D. Recovering data implies restoring lost or inaccessible information, whereas forensic evidence is captured and preserved for analysis, not necessarily for restoration from a lost state.
Concept tested. Forensic evidence preservation principles
Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf#page=12
Community Discussion
No community discussion yet for this question.