What step verifies that digital evidence has not been altered since collection?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Enhance your knowledge as a Computer Hacking Forensic Investigator with the CHFI v11 Test. Use flashcards and multiple-choice questions, complete with hints and detailed explanations, to prepare effectively and ace your exam!

Multiple Choice

What step verifies that digital evidence has not been altered since collection?

Explanation:
Ensuring that digital evidence hasn’t changed since collection is done by verifying its integrity with a cryptographic hash and comparing it to the original value. A hash function takes the exact bit pattern of the evidence and produces a fixed-size digest. Because even a tiny modification to the data would produce a completely different digest, computing the hash again later and matching it against the original hash confirms nothing was altered. At the time of collection you generate and securely record the hash of the evidence. Later, you recompute the hash from the preserved copy (or from the original, if it’s still available) and compare. If the digests match, you have strong evidence that the data remained unchanged; if they differ, something was altered or corrupted. Other options don’t provide the same assurance. Re-imaging creates a copy but doesn’t verify that the original material stayed intact. Signing a statement documents the process but doesn’t prove data integrity. Deleting destroys evidence and is contrary to forensics. So, computing a cryptographic hash and comparing it to the original is the correct practice.

Ensuring that digital evidence hasn’t changed since collection is done by verifying its integrity with a cryptographic hash and comparing it to the original value. A hash function takes the exact bit pattern of the evidence and produces a fixed-size digest. Because even a tiny modification to the data would produce a completely different digest, computing the hash again later and matching it against the original hash confirms nothing was altered.

At the time of collection you generate and securely record the hash of the evidence. Later, you recompute the hash from the preserved copy (or from the original, if it’s still available) and compare. If the digests match, you have strong evidence that the data remained unchanged; if they differ, something was altered or corrupted.

Other options don’t provide the same assurance. Re-imaging creates a copy but doesn’t verify that the original material stayed intact. Signing a statement documents the process but doesn’t prove data integrity. Deleting destroys evidence and is contrary to forensics. So, computing a cryptographic hash and comparing it to the original is the correct practice.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy