Exam SY0-601 topic 1 question 132 discussion

The question states that a trial Judge determined evidence gathered from a hard drive was not admissible. It is obvious that this is a legal matter. All of the remaining answers are of a technical nature, So consequently the only issue that a Judge can rule on is a Chain of custody issue. So, ladies and gentlemen, I rest my case (quickly bangs a gavel upon the desk)

If you read through the forensics chapter in Darril Gibson's (Ebook PG. 779) sce+ guide, Option B will make sense to you. Chain of Custody is one of the important parts of forensics, cause someone has to take responsibility for protecting the evidence. Your evidence also always has to show exact dates. And in this question, the evidence needed to be transported to multiple geographical locations before it got to the judge. So if there's a mismanagement of dates and times, it won't be legally admissible in court, cause 2 rules have been violated.

B is the most nb from a legal perspective. On p739 of study guide.

The answer is A... the question is asking about the hard drive, NOT transportation.

File timestamp is a metadata that contains information about a file and reflects when the file was created, last accessed, and last modified. In digital forensics, timestamps can be used for example to validate the integrity of an access log file (i.e. to check whether the file has been tampered with to mask unauthorized access attempt). Because different systems might be set to different time zones, in order to determine the chronological order of events during a security incident it is also important to take into account time offset which denotes the difference between the timestamp and a chosen reference time (a.k.a. time normalization) In the court of law, they are always determined to ensure that proper procedures for collecting evidence goes by the book, or else it would be inadmissible.

"The hard drive is not admissible." So the judge ruled that the hard drive was not collected properly according to law. which one of these answers would imply that?

Answer: B Even if a checksum was performed to verify the integrity of the disk image, if the chain of custody (CoC) was not properly documented or maintained, it could raise doubts about the reliability and authenticity of the evidence. Admissibility in court often relies on demonstrating that proper procedures were followed to preserve and handle the evidence, including maintaining a clear chain of custody. If there are gaps or inconsistencies in documenting how the evidence was collected, stored, and handled, it could undermine its admissibility, regardless of the integrity verification through checksums.

The CoC is the first thing a judge will look at. An image hash could be 100% perfect, but they need to have evidence that it's the same drive (and not a doctored one or someone else's drive). No CoC, no evidence.

In the context of legal proceedings, the chain of custody is crucial. If the chain of custody is incomplete or incorrect, it can lead to questions about the handling of the evidence, potentially rendering it inadmissible in court. This is because any mishandling can lead to tampering or contamination of the evidence, which compromises its integrity and reliability.

This one really has my head in a spin "A. The forensic investigator forgot to run a checksum on the disk image after creation" After creation of what? The answer has to be A surely? checkSums prove integrity. What am I missing here? Bad headache after this

I so badly want "A" to be the answer but how would the Judge know the data was checked ot tampered with? The only thing the judge can proove is things that are documented, which is the dates and times of the transport of evidence.

Looked A at first but upon research i found its B. Chain of Custody is very important factor to consider when Judge get involved

RAM image: When a computer is turned off, volatile data stored in RAM (Random Access Memory) is lost. Taking a RAM image alongside the hard drive image is crucial for capturing the complete state of the computer at the time of seizure, including any potentially incriminating data stored in RAM.

I thought B but then I will go with A. If the investigator forgot to run a checksum after creation, then how can the hard drive be admissible if there's no way to guarantee the integrity? If chain of custody form has the date/time but not the date/time offsets between transportation regions as it specifically mentioned then I believe the integrity of the HDD is more important. The time/date offset is to ensure the difference between local time and the UTC if each person who handles the data. If the answer said just date and time then it could be either / both answers. In this case it is both but it says 'BEST' so I would go with A

If the Judge determined that evidence gathered from a hard drive was not admissible, the most likely reason would be related to the handling, preservation, or authenticity of the hard drive data. Given the options provided, the closest explanation would be B. The chain of custody form did not note time zone offsets between transportation regions. Proper documentation of the chain of custody is crucial in legal proceedings to maintain the integrity of the evidence. If there are discrepancies in the documentation, such as not noting time zone offsets, it can raise concerns about the integrity and handling of the evidence, potentially leading to its inadmissibility in court.

I guess most of us are speculating here as we have no experience with legal matters I think @Boubou480 explains it really well Again, IMO it doesn't really matter who had the drive, it could have been lost and then found again, if the hash matches the integrity is in tact and the evidence is good Even if the chain of custody is 100% documented but the hash has changed, the evidence will be inadmissible

B makes sense