To verify the integrity of evidence during processing, which practice is recommended?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

To verify the integrity of evidence during processing, which practice is recommended?

Explanation:
Maintaining evidence integrity during processing hinges on being able to prove the data hasn’t changed. Computing a cryptographic hash of the evidence before you start examining it and then again after you’re finished creates a tamper-evident check. The hash acts as a fingerprint of the entire data: if any bit of the data is altered, the hash value will change. By comparing the pre-processing hash to the post-processing hash, you can confirm that the evidence remains identical, which supports admissibility, repeatability, and a solid chain of custody. Encrypting the evidence with a password only hides its contents and doesn’t reveal or confirm whether the data has been modified. Uploading to cloud storage might be convenient, but without hash verification, you have no reliable way to detect alterations or ensure integrity during transfer and storage. Deleting the original after creating a copy destroys a point of comparison and undermines the ability to verify authenticity later. So, the best practice is to compute a cryptographic hash before and after examination to verify that the evidence remains unchanged throughout processing.

Maintaining evidence integrity during processing hinges on being able to prove the data hasn’t changed. Computing a cryptographic hash of the evidence before you start examining it and then again after you’re finished creates a tamper-evident check. The hash acts as a fingerprint of the entire data: if any bit of the data is altered, the hash value will change. By comparing the pre-processing hash to the post-processing hash, you can confirm that the evidence remains identical, which supports admissibility, repeatability, and a solid chain of custody.

Encrypting the evidence with a password only hides its contents and doesn’t reveal or confirm whether the data has been modified. Uploading to cloud storage might be convenient, but without hash verification, you have no reliable way to detect alterations or ensure integrity during transfer and storage. Deleting the original after creating a copy destroys a point of comparison and undermines the ability to verify authenticity later.

So, the best practice is to compute a cryptographic hash before and after examination to verify that the evidence remains unchanged throughout processing.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy