Why would a memory dump be admissible as evidence in court?
A.
Because it is used to demonstrate the truth of the contents.
B.
Because it is used to identify the state of the system.
C.
Because the state of the memory cannot be used as evidence.
D.
Because of the exclusionary rule.
Explanation:
A memory dump identifies the state of the system.
Computer-generated evidence that is in the form of routine operational business data or reports and binary disk
or memory dumps now constitute exceptions to the rule that computer-generated evidence is hearsay, and is
therefore admissible in court.
Incorrect Answers:
A: A memory dump does not identify the truth, it is identification of the state of the system.
C: The state of the memory, the system state, can be admissible as evidence in court.
D: The exclusionary rule refers to evidence that is inadmissible. The exclusionary rule is a legal principle in the
United States, under constitutional law, which holds that evidence collected or analyzed in violation of the
defendant’s constitutional rights is sometimes inadmissible for a criminal prosecution in a court of law.Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional
Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 504