CompTIA CASP+ (CAS-003) — Question 78
During a security event investigation, a junior analyst fails to create an image of a server's hard drive before removing the drive and sending it to the forensics analyst. Later, the evidence from the analysis is not usable in the prosecution of the attackers due to the uncertainty of tampering. Which of the following should the junior analyst have followed?
Answer options
- A. Continuity of operations
- B. Chain of custody
- C. Order of volatility
- D. Data recovery
Correct answer: C
Explanation
The correct answer is 'C. Order of volatility' because it emphasizes the importance of preserving volatile data before it is lost or altered. The junior analyst failed to capture the server's data in a timely manner, which jeopardized the integrity of the evidence. While 'B. Chain of custody' also pertains to evidence handling, the primary issue here was the order in which data was preserved, not the tracking of the evidence after collection.