CompTIA Network+ Question B-72

A network technician was tasked to respond to a compromised workstation. The technician documented the scene, took the machine offline, and left the PC under a cubicle overnight. Which of the following steps of incident handling has been incorrectly performed?

A. Document the scene
B. Forensics report
C. Evidence collection
D. Chain of custody

Correct Answer: D

Explanation:
To verify the integrity of data since a security incident occurred, you need to be able to show a chain of custody.
A chain of custody documents who has been in possession of the data (evidence) since a security breach occurred. A well-prepared organization will have process and procedures that are used when an incident occurs.
A plan should include first responders securing the area and then escalating to senior management and authorities when required by policy or law. The chain of custody also includes documentation of the scene, collection of evidence, and maintenance, e-discovery (which is the electronic aspect of identifying, collecting, and producing electronically stored information), transportation of data, forensics reporting, and a process to preserve all forms of evidence and data when litigation is expected. The preservation of the evidence, data, and details is referred to as legal hold.

CompTIA A+ Question K-42

A user has been reported for storing prohibited material on a company owned PC. The accused user is notified and an investigation is launched. However, no evidence is found and it is believed that the user was able to delete all relevant evidence. Which of the following would prevent this from happening in the future?

A. Change documentation
B. Chain of Custody
C. Automatic notifications for complaints
D. Data preservation

Correct Answer: D

CompTIA A+ Question K-9

A technician, Peter, has been told that one of the workers at his company has been using a company laptop for illicit activity. The IT manager assigned Peter the task of retrieving the laptop and bringing it back to the repair center. Which of the following has Peter performed?

A. Maintain chain of custody
B. Gathering evidence
C. Device preservation
D. Use of documentation

Correct Answer: B

CompTIA A+ Question J-19

After identifying illegal activity on a small business computer, a business owner asks the office secretary to log into the system to retrieve various files. Which of the following aspects of procedural forensic analysis were violated in this scenario?

A. Data preservation
B. Proper channel reporting
C. Initial response identification
D. Tracking of documentation

Correct Answer: A

CompTIA A+ Question F-63

After a system was hacked by an outsider, a technician is dispatched to the system. The technician records the location of the system on a log and then signs the system over to a tier-two technician. The tier-two technician analyzes the system and then signs it over to the case manager. Which of the following is this an example of?

A. Evidence preservation
B. Process documentation
C. Due process
D. Chain of custody

Correct Answer: D

Explanation:
http://en.wikipedia.org/wiki/Chain_of_custody

CompTIA A+ Question D-95

Which of the following is the MOST important aspect of the chain of custody?

A. Reporting
B. Preservation
C. Observation
D. Documentation

Correct Answer: D

CompTIA A+ Question B-81

Chain of custody needs to be kept intact for which of the following reasons?

A. To ensure data preservation during evidence inspection
B. To ensure that the evidence is not left at the scene
C. To ensure evidence is admissible in legal proceeding
D. To ensure evidence is returned to proper owner