Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?
Identification is the first step in the forensic process.
Why this answer
Identification of potential evidence is a core initial step in the EC-Council's computer forensics investigation process because it defines the scope and sources of data that may contain relevant evidence. Without proper identification, investigators risk missing critical data or collecting irrelevant information, which can compromise the entire investigation. This step involves recognizing potential evidence sources such as hard drives, network logs, and volatile memory, ensuring that all relevant data is accounted for before collection begins.
Exam trap
The trap here is that candidates often confuse specialized techniques like data recovery or data deletion with the core essential steps, leading them to select options that are not part of the standard EC-Council forensics process.