CompTIA Security+ (SY0-501) — Question 142

A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of the following is the FIRST step the forensic expert needs to take the chain of custody?

Answer options

• A. Make a forensic copy
• B. Create a hash of the hard drive
• C. Recover the hard drive data
• D. Update the evidence log

Correct answer: D

Explanation

The first step in maintaining the chain of custody is to update the evidence log, which documents the handling of the evidence. Making a forensic copy, creating a hash, and recovering data are important steps, but they come after ensuring that the evidence is properly logged and accounted for.