To prove that evidence has not been altered since it entered the lab, which action should you take?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

To prove that evidence has not been altered since it entered the lab, which action should you take?

Explanation:
Verifying that evidence has not been altered relies on creating a cryptographic fingerprint of the data when it enters the lab and then rechecking that fingerprint later. By computing an MD5 hash of the evidence at intake and recording that value securely, you establish a reference that uniquely represents the exact data you received. Later, recomputing the MD5 hash on the evidence and comparing it to the original hash shows whether any change occurred; if even a small modification happened, the hashes will differ, signaling tampering or alteration. This provides objective, verifiable proof of integrity and supports the chain of custody. Signing a statement or trusting lab certification doesn’t provide the same concrete, technical verification of the evidence’s unchanged state. Relying on a standard database from NIST isn’t applicable for confirming the exact piece of evidence—hashes must be compared against the original fingerprint created at intake. (Note: in practice, stronger hash functions like SHA-256 are often preferred for long-term integrity, but for this context, hash comparison is the method used.)

Verifying that evidence has not been altered relies on creating a cryptographic fingerprint of the data when it enters the lab and then rechecking that fingerprint later. By computing an MD5 hash of the evidence at intake and recording that value securely, you establish a reference that uniquely represents the exact data you received. Later, recomputing the MD5 hash on the evidence and comparing it to the original hash shows whether any change occurred; if even a small modification happened, the hashes will differ, signaling tampering or alteration. This provides objective, verifiable proof of integrity and supports the chain of custody.

Signing a statement or trusting lab certification doesn’t provide the same concrete, technical verification of the evidence’s unchanged state. Relying on a standard database from NIST isn’t applicable for confirming the exact piece of evidence—hashes must be compared against the original fingerprint created at intake. (Note: in practice, stronger hash functions like SHA-256 are often preferred for long-term integrity, but for this context, hash comparison is the method used.)

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy