Exam CISA topic 1 question 1301 discussion

This is D. Literally for almost any exam ever if you see something about a forensic investigation you can immediately look for chain of custody as an answer and 9/10 that is the right choice. It has been explained below why it is correct but just for a heads up taking any other exam if it says forensic investigation look for chain of custody

It should be D. In forensic investigations, maintaining a chain of custody is more comprehensive because it covers the entire lifecycle of the evidence and ensures its integrity throughout the investigation process. While hash comparison is a part of this process, chain of custody provides the broader context needed for data integrity and legal admissibility.

Hash comparison is a common technique for verifying data integrity. By calculating hash values ​​of files in storage that hold data captured during a forensic investigation and comparing those hash values, it is possible to verify whether the data has been altered. On the other hand, maintaining a chain of custody is important to ensure the continuity and reliability of evidence, but it is not a method to directly verify data integrity. A chain of custody is used to properly manage the handling of evidence and prevent tampering or unintentional changes, but it is not a means of verifying changes to the content of specific data. Therefore, comparing the hashes of data files in storage is the most effective way to verify the integrity of data captured after a security incident.

Hashing creates a unique digital fingerprint of data, which can be used to verify that the data has not been altered. By comparing the hash values of the data files at different stages (e.g., when they were first captured and later during analysis), investigators can confirm that the data remains unchanged, ensuring its integrity. This method is widely recognized and used in forensic investigations to maintain the authenticity and reliability of digital evidence. Right answer is B