GIAC Certified Forensic Analyst (GCFA) — Question 29

You company suspects an employee of sending unauthorized emails to competitors. These emails are alleged to contain confidential company data. Which of the following is the most important step for you to take in preserving the chain of custody?

Answer options

• A. Preserve the email server including all logs.
• B. Make copies of that employee's email.
• C. Seize the employee's PC.
• D. Place spyware on the employee's PC to confirm these activities.

Correct answer: A

Explanation

Preserving the email server and all logs is crucial as it maintains the original evidence and ensures that any alterations cannot occur, thus keeping the chain of custody intact. Making copies of the employee's email or seizing the PC could compromise the integrity of the data or evidence. Placing spyware on the employee's PC could introduce new evidence that may not be admissible in court and can lead to further legal complications.