You company suspects an employee of sending unauthorized emails to competitors. These emails
are alleged to contain confidential company dat
a. Which of the following is the most important step for you to take in preserving the chain of
custody?
A.
Preserve the email server including all logs.
B.
Seize the employee’s PC.
C.
Make copies of that employee’s email.
D.
Place spyware on the employee’s PC to confirm these activities.
Explanation:
In order to preserve chain of custody, you should immediately create a mirror image of the hard
drive on the email server. Then preserve the original hard drive and use the mirrored for your server.
This is the best way to guarantee that all email records are not only preserved, but are not tampered
with.