A security analyst is investigating a data breach in a cloud environment. The analyst needs to preserve evidence for legal proceedings. Which of the following actions is most critical to ensure the chain of custody is maintained?
This is the first step in establishing chain of custody.
Why this answer
Chain of custody requires documenting every transfer of evidence. Option B is correct because starting a log of all actions with timestamps and personnel ensures accountability. Option A is wrong because notifying management is important but not the most critical for chain of custody.
Option C is wrong because isolating systems can destroy volatile data. Option D is wrong because while important, unique hashing alone does not document custody.