Certified Information Systems Auditor (CISA) — Question 1323

Which of the following is the BEST approach to help ensure evidence from a computer forensics investigation is legally admissible?

Answer options

• A. The incident response team reviews and analyzes the evidence, and the evidence file is then securely deleted to avoid further damage.
• B. The relevant data is extracted from system, firewall, and intrusion detection system (IDS) logs, then consolidated as evidence.
• C. The media involved is preserved using imaging, and further analysis is performed on the image instead of the original.
• D. The computer suspected of storing the evidence is isolated, and the incident response team is contacted for investigation.

Correct answer: C

Explanation

Option C is correct because preserving the original media and analyzing a forensic image ensures that the integrity of the evidence is maintained, which is crucial for legal admissibility. Options A and B do not emphasize the preservation of the original evidence, and option D, while important, does not describe a method of ensuring the evidence's admissibility.