During an incident response, a security analyst identified a suspicious file on a workstation that may be related to a malware infection. The analyst needs to collect the file as evidence for further analysis. Which of the following is the analyst's critical step to preserve the digital evidence?

A. The analyst must maintain chain of custody.
B. The analyst must copy evidence to a USB drive.
C. The analyst must shut down the system.
D. The analyst must log off the user account.



Answer :

The critical step for the security analyst to preserve the digital evidence is to maintain the chain of custody. This means ensuring that there is a documented record of who has had access to the evidence, when it was accessed, and any changes made to it. This helps maintain the integrity and admissibility of the evidence in legal proceedings, if necessary. Simply copying the evidence to a USB drive may not be sufficient to maintain the chain of custody, as it does not provide a clear record of who has accessed the evidence. Shutting down the system or logging off the user account may also disrupt or alter the evidence. Therefore, the correct answer is A. The analyst must maintain chain of custody.