During which phase of the forensic process are tools and techniques used to extract the relevant information from the collective data?
A. examination
B. reporting
C. collection
D. investigation
Which phase of the forensic process are tools and techniques used to extract the relevant information from the collective data?
NIST 800-86
Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data.
Correct Answer = A
3.2 Examination
After data has been collected, the next phase is to examine the data, which involves assessing and extracting the
relevant pieces of information from the collected data. Fortunately, various tools and techniques can be used to reduce the amount of data that has to be sifted through.
I summarized the above extract to point out the correct answer, you can read more on the topic from the documentation on the site
Reference: NIST 800-86 Guide to Integrating forensic techniques into incident response Page, 30
Is the answer A?
Yes the answer is A.
I think is Examination
Collection:
Collection: The first phase in the process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data. Collection is typically performed in a timely manner because of the likelihood of losing dynamic data such as current network connections, and losing data from battery-powered devices such as cell phones and PDAs. During collection, data that is related to a specific event is identified, labeled, recorded, and collected, and its integrity is preserved.
It’s A – Examination
D – Investigation is not part of 4 phases, so that’s out
The clue is in “extract the relevant information from the collective data” – the data already collected, so next is Examination
A. Examination or the Analysis phase of the Incident Response Life Cycle
From NIST 800-86
This section describes the basic phases of the forensic process: collection, examination, analysis, and
reporting.
During collection, data related to a specific event is identified, labelled, recorded, and
collected, and its integrity is preserved. In the second phase, examination, forensic tools and techniques
appropriate to the types of data that were collected are executed to identify and extract the relevant
information from the collected data while protecting its integrity. Examination may use a combination of
automated tools and manual processes.
So although the relevant data is identified aduring the collection phase it clearly states that ‘to identify and extract the relevant information’ is completed within the EXAMINATION phase.
A.examination