Certified Information Systems Auditor (CISA) — Question 6

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Answer options

• A. Restricting evidence access to professionally certified forensic investigators
• B. Engaging an independent third party to perform the forensic investigation
• C. Performing investigative procedures on the original hard drives rather than images of the hard drives
• D. Documenting evidence handling by personnel throughout the forensic investigation

Correct answer: D

Explanation

The correct answer, D, highlights the importance of documenting evidence handling, which helps establish a chain of custody necessary for admissibility in court. Options A and B, while relevant, do not directly address the critical aspect of chain of custody documentation. Option C is incorrect because working on original drives can compromise the integrity of the evidence.