Eccouncil 312-49v11 Exam - Topic 14 Question 7 Discussion

Actual exam question for Eccouncil's 312-49v11 exam

Question #: 7
Topic #: 14

During a forensic investigation into a recent security incident within an organization, the investigator is tasked with documenting every action taken with the evidence to ensure proper chain of custody. The investigator carefully documents every action taken with the evidence in a logbook. The evidence is tagged with unique identifiers to prevent confusion. A detailed chain of custody record is also created to track the evidence's movement and handling throughout the investigation. Which investigation step is the investigator performing in this scenario?

AThe investigator is preserving the evidence collected from the incident site.

BThe investigator is performing scoping on the location where the security incident took place.

CThe investigator is carrying out data analysis on the evidence for potential findings related to the breach.

DThe investigator is conducting a search and seizure of the evidence related to the security incident.

Show Suggested Answer

Suggested Answer: A

According to the CHFI v11 Procedures and Methodology domain, evidence preservation is a critical step in the forensic investigation process and is closely tied to maintaining a proper chain of custody. Preservation ensures that digital evidence remains unaltered, authentic, and legally admissible from the moment it is collected until it is presented in court or a disciplinary proceeding.

In the given scenario, the investigator is documenting every action, assigning unique identifiers, and maintaining a chain of custody log that records who handled the evidence, when it was handled, and for what purpose. CHFI v11 explicitly defines these actions as part of the evidence preservation phase, which occurs immediately after evidence identification and collection. This phase is designed to prevent evidence tampering, loss, contamination, or misidentification.

The other options do not align with the described activities. Scoping focuses on defining investigation boundaries, data analysis involves examining evidence for findings, and search and seizure refers to the legal act of collecting evidence---none of which emphasize documentation and custody tracking.

CHFI v11 stresses that failure to properly preserve evidence and document its handling can result in evidence being challenged or ruled inadmissible. Therefore, the investigator's actions clearly correspond to preserving the evidence, making Option A the correct and CHFI v11--verified answer.

by Penney at Apr 03, 2026, 12:13 PM

Limited Time Offer

25%

Off

Get Premium 312-49v11 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Carry

3 days ago

I remember studying the importance of chain of custody in my forensic classes, but I'm not entirely sure which step this specifically falls under.

upvoted 0 times

...