[&] What is the primary goal of evidence triage in incident response?
- To minimize the time spent on data collection by skipping less important sources
- To ensure all available data is collected without exception
- To prioritize the collection of artifacts based on forensic value and volatility -- Correct
- To maximize the use of automated tools for data acquisition

[&] What does the process of evidence acquisition involve?
- Collecting a defensible copy of relevant artifacts for analysis -- Correct
- Storing all artifacts in a single location to conserve storage resources
- Using only automated scripts to gather all available network logs
- Capturing a minimal amount of data necessary to speed up analysis

[&] Why is it important to hash each file at the time of capture during evidence collection?
- To compress the file size for easier storage
- To verify the authenticity and integrity of the evidence collected -- Correct
- To immediately discard any redundant data
- To combine it with all other files into a single hash log

[&] Why is RAM typically prioritized in evidence collection?
- It is the easiest type of data to collect
- It is rarely used by malware and is thus commonly overlooked
- It is highly volatile and contains significant forensic value -- Correct
- It is non-volatile and remains unchanged over time

[&] What does maintaining a 'chain of custody' ensure in the context of evidence collection?
- It ensures all collected data is stored in the cloud for easy access
- It limits access to evidence to only authorized personnel
- It guarantees the quickest response time from the forensic team
- It confirms that each item is legally and technically defensible -- Correct

[&] Which factor can dictate the order of evidence collection when using a scoring matrix?
- The forensic tools available for data processing
- The combination of forensic value and volatility score -- Correct
- The ease of access to each type of evidence
- The total volume of data available