100%(11)11 out of 11 people found this document helpful
This preview shows page 16 - 17 out of 109 pages.
30.An IS auditor is reviewing the process performed for the protection of digital evidence. Which oft,following findings should be ofMOSTconcern to the IS auditor?A.The owner of the system was not present at the time of the evidence retrieval.B.The system was powered off by an investigator.C.There are no documented logs of the transportation of evidence.D.The contents of the random access memory (RAM) were not backed up.C is the correct answer.Justification:A.The owner of the system may be present at the time of evidence retrieval, but this is notabsolutely necessary. In some cases, the owner could be the subject of the investigation.B.In most cases, it is required that the investigator power off the machine to create a forensic imageof the hard drive, so this is not an issue. Prior to powering off the machine, the investigator wouldnormally photograph what is on the screen of the computer and identify what documents are open andany other information that may be relevant. It is important that the investigator power off the machinerather than performing a shutdown procedure. Many operating systems perform a cleanup of temporaryfiles during shutdown, which potentially would destroy valuable evidence.C.It is very important that evidence be handled properly through a documented chain of custody andnever modified improperly in a physical or, more important, logical manner. The goal of this process isto be able to testify truthfully in court that the technical investigator did not modify the data in anyimproper manner. If the investigator does not have sufficient documentation of the handling of manual ordigital evidence, the defense will try to prevent the admission of evidence based on the fact that it mayhave been tampered with or modified. Note that legal requirements for digital evidence preservationcould vary from country to country, so local laws should be taken into consideration.D.Depending on the type of system being accessed, it may not be possible to capture an imageof the contents of random access memory (RAM).31.Who should review and approve system deliverables as they are defined and accomplished to ensure thesuccessful completion and implementation of a new business system application?