As a part of the incident response team, you are given a procedures document that identifies the steps you must complete during a forensic investigation.
After which event should you complete the evidence collection step?
A. The incident is identified only.
B. The evidence is preserved only.
C. The incident is identified and the evidence has been preserved.
D. The incident is identified, the evidence is preserved and the evidence is analyzed.
The correct answer is C.
You should complete the evidence collection step after the incident is identified and the evidence is preserved.
The proper steps in a forensic investigation are as follows:
- Identification – This step can include event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring and audit analysis.
- Preservation – This step can include imaging technologies, chain of custody standards and time synchronization.
- Collection – This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction and recovery techniques.
- Examination – This step can include traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery and hidden data extraction.
- Analysis – This step can include traceability, statistical analysis, protocol analysis, data mining and timeline determination.
- Presentation – This step can include documentation, expert testimony, clarification, mission impact statement, recommended countermeasures and statistical interpretation.
- Decision – This step can include management reports, court decisions and internal decisions.
CISSP Certification Prep Course