Exam CS0-002 topic 1 question 51 discussion

Evidence Retention If the incident involved a security breach and the incident response process gathered evidence to prove an illegal act or a violation of policy, the evidence must be stored securely until it is presented in court or is used to confront the violating employee. Computer investigations require different procedures than regular investigations because the time frame for the computer investigator is compressed, and an expert might be required to assist in the investigation. Also, computer information is intangible and often requires extra care to ensure that the data is retained in its original format. Finally, the evidence in a computer crime is difficult to gather.

C: Makes sense given the context. "Evidence Retention" is in the exam objectives in the context of incident response.

Evidence retention would be the most appropriate justification for the security analyst to request avoiding data sanitization

C. This is basically the same as putting data on Legal Hold.

Evidence Retention = Legal Hold

most likely C

The option should be "Legal Hold" not Evidence retention..

I am leaning towards D. How do we know that the evidence came from the laptop which resulted in fraudulent activity. The evidence could have come from a DLP, Firewall, proxy server...IMHO it is D.

Evidence retention

Evidence retention is the process of keeping any evidence of an incident for the entire duration of the legal process

I would have to go with D because I dont think ive ever heard the term "evidence retention" being used in any courses. What do you guys think?