Certified Incident Handler (CIH) Practice Ecam

Disable ads (and more) with a membership for a one time $2.99 payment

Prepare for the Certified Incident Handler (CIH) Exam. Enhance your knowledge with interactive quizzes and detailed insights into cyber incident handling. Boost your exam readiness with our expert-designed questions!

Start Multiple Choice Practice Test
Start Flash Cards

Each practice test/flash card set has 50 randomly selected questions from a bank of over 500. You'll get a new set of questions each time!

Practice this question and more.

Which action should be avoided when dealing with electronically stored information during evidence collection?

  1. Preserving the original file's integrity

  2. Modifying the contents of a file

  3. Using write-blockers during transfer

  4. Documenting file access time

The correct answer is: Modifying the contents of a file

Modifying the contents of a file should be avoided during evidence collection because it compromises the integrity of the evidence. In digital forensics, the ability to present unaltered, original data is crucial for maintaining the integrity of the evidence. If the contents of a file are changed in any way, it can lead to questions about the authenticity of that data, potentially rendering it inadmissible in legal proceedings. This principle underpins the entire process of digital evidence handling, where it is imperative to show that the evidence has not been tampered with and truly reflects the state in which it was found. On the other hand, preserving the original file's integrity, using write-blockers during transfer, and documenting file access time are all best practices that ensure the evidence remains intact and reliable for analysis and presentation in court. These practices are essential to maintain a clear chain of custody and uphold the standards of admissible evidence.

More Questions Like This