Certified Information Systems Auditor (CISA) — Question 889

An IS auditor finds a computer that is suspected to have been involved in a cyber crime. Which of the following activities is MOST critical to ensure data collected is admissible in a court of law?

Answer options

• A. Notify law enforcement upon detection.
• B. Track possession of the computer.
• C. Collect audit logs from the affected computer.
• D. Power off the computer to ensure data is not changed.

Correct answer: B

Explanation

Tracking possession of the computer is crucial for establishing a clear chain of custody, which is essential for the data to be considered admissible in court. While notifying law enforcement, collecting audit logs, and powering off the computer are important, they do not directly address the legal requirements for evidence handling as effectively as tracking possession does.