CompTIA CySA+ (CS0-003) — Question 396

An incident responder is investigating a possible server data exfiltration incident with the intent to prosecute if necessary. The responder:
• Captures live memory and an image of the drives.
• Is given a copy of the firewall logs.
• Pulls the drives from the server.

Which of the following would most likely create an issue?

Answer options

• A. Lack of network capture
• B. Chain of custody failure
• C. Corrupt drives
• D. Encrypted files

Correct answer: B

Explanation

The correct answer is B because maintaining a proper chain of custody is crucial for legal proceedings; any mishandling can jeopardize the evidence. While lack of network capture (A), corrupt drives (C), and encrypted files (D) may pose challenges, they do not directly compromise the integrity of the evidence in the same way as a chain of custody failure.