Exam SY0-601 topic 1 question 277 discussion

A systems analyst should include the following information in the new digital forensics chain-of-custody form: E. The date and time C. The provenance of the artifacts Explanation: A digital forensics chain-of-custody form is a document that provides a clear and complete record of the sequence of events that occurs from the time a digital artifact is collected until it is analyzed and used as evidence. The form should include the date and time when the artifact was collected, so that the exact time it was obtained can be determined. Additionally, the form should include information about the provenance of the artifact, such as its origin and any steps that have been taken to maintain its integrity. The order of volatility, a CRC32 checksum, the vendor’s name, and a warning banner are not essential components of a digital forensics chain-of-custody form.

I would go with E for sure, as date and time is crucial. Then, option C for provenance of the data -- NIST defines provenance as "The chronology of the origin, development, ownership, location, and changes to a system or system component and associated data". Source -- https://csrc.nist.gov/glossary/term/provenance#:~:text=Definition(s)%3A,%2C%20component%2C%20or%20associated%20data.

The correct answers are C and E. A digital forensics chain-of-custody form is a document that records the details of the evidence handling process, such as who collected, analyzed, or transferred the evidence, when and where it was done, and how it was preserved. The provenance of the artifacts refers to the origin and history of the evidence, such as where it was found, what device it belongs to, and what type of data it contains. The date and time are important to establish a timeline of events and show the chronological order of the evidence handling. These two elements help to ensure the integrity, authenticity, and admissibility of the evidence in a court of law.

crystal clear

A,E are the correct answers. A. The order of volatility: This refers to the principle of collecting and preserving digital evidence in the order of its volatility, starting with the most volatile and moving to the less volatile. It is crucial to document when each piece of evidence was collected to ensure that the order of volatility is maintained. E. The date and time: Documenting the date and time of evidence collection is essential for establishing a timeline of events and maintaining the integrity of the chain of custody. It helps track when evidence was collected and by whom. The other answers are additional information that may be useful but are not typically included in the chain-of-custody form.

C. The provenance of the artifacts: This refers to the origin or source of the artifacts being collected. It includes information such as where the artifacts were found, who collected them, and any relevant details about their acquisition. Provenance helps establish the authenticity and reliability of the evidence. E. The date and time: It is crucial to document the date and time when the artifacts were collected or transferred. This information is essential for establishing the chronological order of events and maintaining an accurate timeline during the forensic investigation.

C. The provenance of the artifacts and E. The date and time should be included in the digital forensics chain-of-custody form. The provenance of the artifacts describes where the artifacts came from, such as the source, collection method, and any associated evidence numbers. Additionally, the date and time of the collection should also be included, as this helps to ensure that the artifacts are securely stored and recorded properly.

Again on the CRC32 chacksum, it can't be an answer, read the table on CRC and hash: https://www.researchgate.net/publication/279174845_Im_Proving_Chain_of_Custody_and_Digital_Evidence_Integrity_with_Time_Stamp

CRC32 checksum is not a hash. I am still not sure. What a form should contain: What is the evidence?: For example- digital information includes the filename, md5 hash, and Hardware information includes serial number, asset ID, hostname, photos, description. How did you get it?: For example- Bagged, tagged or pulled from the desktop. When it was collected?: Date, Time Who has handle it? Why did that person handled it? Where was it stored?: This includes the information about the physical location in which proof is stored or information of the storage used to store the forensic image. How you transported it?: For example- in a sealed static-free bag, or in a secure storage container. How it was tracked? How it was stored?: For example- in a secure storage container. Who has access to the evidence?: This involves developing a check-in/ check-out process.

Integrity and Time Stamps - BE work for me here.

I would go with CE. Who collected the evidence (if that what is meant by provenance) and time has to be recorded. Digest/Hash has to be recorded, but CRC is not a hash as it is reversible. God help us...

Checksum for integrity

CE would be my prefered option too. "A" is important for the forensic analyst gathering the data, but not for the chain of custody.

Going for A&E here. This was from old bank of questions.

Order of Volatility is for collecting the the most volatile evidence first for data acquisition. It should not be in the chain of custody form.