Certified Information Security Manager (CISM) — Question 722

Which of the following is MOST important when conducting a forensic investigation?

Answer options

• A. Capturing full system images
• B. Documenting analysis steps
• C. Maintaining a chain of custody
• D. Analyzing system memory

Correct answer: C

Explanation

Maintaining a chain of custody is essential in a forensic investigation as it ensures that the evidence collected is admissible in court and has not been tampered with. While capturing full system images, documenting analysis steps, and analyzing system memory are important aspects of the investigation, they do not hold the same legal significance as establishing and preserving the chain of custody.