Are you planning to take the Security+ exam? If so, make sure you understand basic forensic procedures.
See if can you answer this sample question?
Q. Security personnel confiscated a user’s workstation after a security incident. Administrators removed the hard drive for forensic analysis, but left it unattended for several hours before capturing an image. What could prevent the company from taking the employee to court over this incident?
A. Witnesses were not identified.
B. A chain of custody was not maintained.
C. An order of volatility was not maintained.
D. A hard drive analysis was not complete.
Check your answer (and see the full explanation) here.