Certified Information Systems Auditor (CISA) — Question 907

Which of the following will invalidate the authenticity of digital evidence in a forensic investigation?

Answer options

• A. The investigator installed forensic software on the original drive that contained the evidence.
• B. The evidence was collected from analysis of a copy of the disk data.
• C. A software write blocker was used in the collection of the evidence.
• D. The investigator collected the evidence while the machine was still powered on.

Correct answer: A

Explanation

Installing forensic software on the original drive alters the data, thus compromising its authenticity, which is why option A is correct. Collecting evidence from a copy (option B) and using a write blocker (option C) are standard practices to preserve integrity. Collecting evidence while the machine is powered on (option D) is risky, but it doesn't by itself invalidate the evidence like modifying the original drive does.