Evidence Preservation — CompTIA CySA+ (CS0-003) Practice Questions
Evidence preservation ensures that digital artifacts collected during an investigation remain unaltered, authentic, and legally defensible throughout the entire incident response and potential legal process. The CySA+ exam requires candidates to understand practices such as write-blocking during disk imaging, cryptographic hashing to verify integrity, maintaining a documented chain of custody, and storing evidence in a secure, access-controlled location. Failure to properly preserve evidence can invalidate forensic findings, expose the organization to legal liability, and prevent successful prosecution of threat actors.
Free questions on evidence preservation
During a security incident, the analyst needs to preserve evidence from a compromised server. Which action should be performed FIRST?
Free question · medium · full answer + explanation
More evidence preservation questions in the full bank
- When responding to a potential insider threat, what is the FIRST critical step? Unlock answer & explanation →
- When responding to a confirmed data breach, what is the FIRST priority? Unlock answer & explanation →
- Your organization discovers insider threat activity. How should you proceed? Unlock answer & explanation →