Certified Information Systems Security Professional (CISSP) — Question 265

Which of the following activities should a forensic examiner perform FIRST when determining the priority of digital evidence collection at a crime scene?

Answer options

• A. Gather physical evidence.
• B. Assign responsibilities to personnel on the scene.
• C. Establish a list of files to examine.
• D. Establish order of volatility.

Correct answer: D

Explanation

The correct answer is D because establishing the order of volatility helps the examiner prioritize which digital evidence to collect first, ensuring that the most transient data is preserved. Options A, B, and C are important but do not directly address the critical need to prioritize evidence based on its volatility.