CompTIA CySA+ (CS0-003) — Question 165

Which of the following is a reason proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

Answer options

• A. To ensure the report is legally acceptable in case it needs to be presented in court
• B. To present a lessons-learned analysis for the incident response team
• C. To ensure the evidence can be used in a postmortem analysis
• D. To prevent the possible loss of a data source for further root cause analysis

Correct answer: A

Explanation

The correct answer is A because legal admissibility is critical if the findings of the incident response need to be used in court proceedings. Options B, C, and D are relevant to the incident response process but do not directly address the necessity of maintaining evidence for legal purposes.