A digital chain of custody ensures that evidence (e.g., logs, timestamps) collected from a network can

be reliably used in legal or forensic investigations. It requires maintaining the integrity and

authenticity of data, including accurate timestamps for events. HPE Aruba Networking devices, such

as Instant APs, Mobility Controllers (MCs), and AOS-CX switches, support features to help maintain a

digital chain of custody.

Option C, "Ensure that all network infrastructure devices receive a valid clock using authenticated

NTP," is correct. Accurate and synchronized time across all network devices is critical for maintaining

a digital chain of custody. Timestamps in logs (e.g., authentication events, traffic logs) must be

consistent and verifiable. Network Time Protocol (NTP) is used to synchronize device clocks, and

authenticated NTP ensures that the time source is trusted and not tampered with (e.g., using MD5 or

SHA authentication). This practice ensures that logs from different devices can be correlated

accurately during an investigation.

Option A, "Enable packet capturing on Instant AP or Mobility Controller (MC) datapath on an ongoing

basis," is incorrect. While packet capturing on the datapath (user traffic) can provide detailed traffic

data for analysis, enabling it on an ongoing basis is impractical due to storage and performance

constraints. Packet captures are typically used for specific troubleshooting or investigations, not for

maintaining a chain of custody.

Option B, "Ensure that all network infrastructure devices use RADIUS rather than TACACS+ to

authenticate managers," is incorrect. The choice of RADIUS or TACACS+ for manager authentication

does not directly impact the digital chain of custody. Both protocols can log authentication events,

but the protocol used does not ensure the integrity of timestamps or evidence.

Option D, "Enable packet capturing on Instant AP or Mobility Controller (MC) controlpath on an

ongoing basis," is incorrect for similar reasons as Option A. Control path (control plane) packet

captures include management traffic (e.g., between APs and MCs), but enabling them continuously is

not practical and does not directly contribute to maintaining a chain of custody. Accurate timestamps

in logs are more relevant.

The HPE Aruba Networking Security Guide states:

"Maintaining a digital chain of custody requires ensuring the integrity and authenticity of network

logs and events. A critical practice is to ensure that all network infrastructure devices, such as

Mobility Controllers and AOS-CX switches, receive a valid and synchronized clock using authenticated

NTP. Use the command ntp server key to configure authenticated NTP,

ensuring that timestamps in logs are accurate and verifiable for forensic investigations." (Page 85,

Digital Chain of Custody Section)

Additionally, the HPE Aruba Networking AOS-8 8.11 User Guide notes:

"Accurate time synchronization is essential for maintaining a digital chain of custody. Configure all

devices to use authenticated NTP to synchronize their clocks with a trusted time source. This ensures

that event logs, such as authentication and traffic logs, have consistent and reliable timestamps,

which can be correlated across devices during an investigation." (Page 380, Time Synchronization

Section)

:

HPE Aruba Networking Security Guide, Digital Chain of Custody Section, Page 85.

HPE Aruba Networking AOS-8 8.11 User Guide, Time Synchronization Section, Page 380.

===========