Exam CISSP topic 1 question 166 discussion

The given answer is correct, because the question states "When performing an investigation " - it means the investigation process has already been started implying that you have been authorized to collect any pertinent info, therefore CoC is the right answer!

When performing an investigation = B. Chain-of-custody

The analyst’s first consideration when performing an investigation with the potential for legal action is authorization to collect. Authorization to collect is the process of obtaining the necessary permissions and approvals to collect the evidence from the relevant sources, such as the owners, custodians, or authorities. Authorization to collect is essential to ensure the legality, validity, and admissibility of the evidence, as well as to protect the rights and privacy of the parties involved. Authorization to collect can also prevent any legal or ethical issues that may arise from unauthorized or improper collection of evidence. The other options are not the first considerations when performing an investigation with the potential for legal action, as they either come after the collection of evidence, or do not relate to the legal aspect.

The first consideration in an investigation with potential legal action is ensuring that the analyst has the proper authorization to collect the evidence. Without this authorization, any collected evidence may be inadmissible and could jeopardize the entire investigation.

D. Court admissibility. Since there is the potential for legal action, evidence and procedures must be performed with the three basic requirements for admissible evidence which are: Relevant - makes a fact more or less probable Material - related to case Competent - legally defensible DoJ also adds being authentic and withstanding scrutiny of collection and preservation as additional factors. A. Data decryption is not relevant B. Establishing and preserving chain of custody is part of ensuring the competency of evidence C. Ensuring the proper authorization to collect also is part of the competency of evidence. Since B and C are included in D, the answer is D.

Without proper authorization, any evidence collected could be inadmissible in court, rendering the investigation fruitless. This includes: Legal warrants or subpoenas: If required by jurisdiction. Company policies and procedures: Outlining data handling and investigation protocols. Consent from relevant parties: If necessary, obtaining permission to access data.

B is correct.

Court admissibility. If you don't have that, you'll lose your case.

I think it's B. The existence of opinions stating D is likely due to the investigation and documentation of the possibility of legal measures. If legal measures are not taken, D seems meaningless, and what is the criteria for acceptability in the courtroom in the first place?

What ever investigation or evidence you collect, the first thing is to ensure its admissible in court. Court admissibility encompasses Chain-of-Custody and Authorization to collect. Its basic. I will choose D. What ever you do, ensure court admissibility first

Court Admissibility. That should be the first. If you

The question of "Authorization to collect" (Option C) versus "Chain-of-custody" (Option B) is a nuanced one. Both are critically important in a legal investigation. However, the sequence in which they matter is the distinction. Before an analyst can even worry about maintaining a proper chain-of-custody, they first need to ensure they have the proper legal and/or organizational authority to collect the evidence in the first place. Collecting evidence without proper authorization can render the evidence inadmissible in court or potentially lead to legal consequences for the analyst or their organization. Once the evidence is legally and properly collected, the chain-of-custody becomes paramount. It ensures that the evidence has been handled, stored, and transferred in a way that maintains its integrity and authenticity. In essence, without proper authorization to collect, the chain-of-custody is moot because the evidence shouldn't have been collected in the first place. That's why "Authorization to collect" is the FIRST consideration in the context of the question.

The importance of chain-of-custody in investigations is defined in various legal and regulatory frameworks. For example, in the United States, the Federal Rules of Evidence and the Daubert standard require that evidence presented in court be relevant, reliable, and obtained through proper procedures. The chain-of-custody is critical in establishing the reliability and authenticity of evidence. Additionally, the International Organization for Standardization (ISO) provides guidelines for the management of digital evidence, including the importance of maintaining the chain-of-custody. Finally, in the context of the CISSP certification, the importance of chain-of-custody is discussed in the Information Security Governance and Risk Management domain.

B. Chain-of-custody. Without it the evidence is probably not admissible in court. "authorization to collect" has nothing to do with collecting evidence, it's about picking up documents.

The question says First Consideration. Then, I will keep option D for later stage. Because I can later decide what is admissible and what is not. both Options B and C make sense to me. But C seems should be considered first. What if you maintain the chain-of-custody, but the evidence collected was illegal?

I think is B, Chain-of-custody is the whole process included

C. The first step of Investigation Process is Gathering Evidence which includes. First, voluntarily surrender Second, a subpoena Third, the plain view doctrine fourth, a search warrant OSG P919