CISSP Exam - Question 166

The given answer is correct, because the question states "When performing an investigation " - it means the investigation process has already been started implying that you have been authorized to collect any pertinent info, therefore CoC is the right answer!

When performing an investigation = B. Chain-of-custody

I think the answer should be - C - If you are considering legal proceeding you would need search warrants to start.

it s D; to be admissible evidence must be material relevant and competent (obtained legally)

B and C all fall under court adminissibility.

It is C: you need first authorisation to collect, in case you don't have it, all the after steps are invalid

I think is B, Chain-of-custody is the whole process included

The question of "Authorization to collect" (Option C) versus "Chain-of-custody" (Option B) is a nuanced one. Both are critically important in a legal investigation. However, the sequence in which they matter is the distinction. Before an analyst can even worry about maintaining a proper chain-of-custody, they first need to ensure they have the proper legal and/or organizational authority to collect the evidence in the first place. Collecting evidence without proper authorization can render the evidence inadmissible in court or potentially lead to legal consequences for the analyst or their organization. Once the evidence is legally and properly collected, the chain-of-custody becomes paramount. It ensures that the evidence has been handled, stored, and transferred in a way that maintains its integrity and authenticity. In essence, without proper authorization to collect, the chain-of-custody is moot because the evidence shouldn't have been collected in the first place. That's why "Authorization to collect" is the FIRST consideration in the context of the question.

C. The first step of Investigation Process is Gathering Evidence which includes. First, voluntarily surrender Second, a subpoena Third, the plain view doctrine fourth, a search warrant OSG P919

The question says First Consideration. Then, I will keep option D for later stage. Because I can later decide what is admissible and what is not. both Options B and C make sense to me. But C seems should be considered first. What if you maintain the chain-of-custody, but the evidence collected was illegal?

B. Chain-of-custody. Without it the evidence is probably not admissible in court. "authorization to collect" has nothing to do with collecting evidence, it's about picking up documents.

The importance of chain-of-custody in investigations is defined in various legal and regulatory frameworks. For example, in the United States, the Federal Rules of Evidence and the Daubert standard require that evidence presented in court be relevant, reliable, and obtained through proper procedures. The chain-of-custody is critical in establishing the reliability and authenticity of evidence. Additionally, the International Organization for Standardization (ISO) provides guidelines for the management of digital evidence, including the importance of maintaining the chain-of-custody. Finally, in the context of the CISSP certification, the importance of chain-of-custody is discussed in the Information Security Governance and Risk Management domain.

Court Admissibility. That should be the first. If you

What ever investigation or evidence you collect, the first thing is to ensure its admissible in court. Court admissibility encompasses Chain-of-Custody and Authorization to collect. Its basic. I will choose D. What ever you do, ensure court admissibility first

I think it's B. The existence of opinions stating D is likely due to the investigation and documentation of the possibility of legal measures. If legal measures are not taken, D seems meaningless, and what is the criteria for acceptability in the courtroom in the first place?

Court admissibility. If you don't have that, you'll lose your case.

B is correct.