Digital Forensics & Chain of Custody | CISSP Domain 7 | SkillAssess
cisspSecurity Operations· 11 min read· 20 May 2026
Digital Forensics: Evidence Collection, Chain of Custody, and CISSP Scenarios
Digital forensics is the application of scientific methods to the collection, examination, analysis, and presentation of digital evidence in a manner that preserves its integrity for legal proceedings. For the CISSP exam, digital forensics is tested as a security operations discipline that intersects with legal requirements, evidence handling procedures, and investigative technique. The exam does not test forensic tool commands — it tests the principles, procedures, and correct sequencing of forensic activities.
Types of Investigations
Digital investigations are conducted for different purposes with different standards of evidence, different legal authorities, and different consequences. Understanding the type of investigation determines the level of rigour required.
Criminal investigations are conducted when a crime has been committed and law enforcement is involved. Criminal investigations follow the most rigorous evidence handling standards because the results may be presented in court where opposing counsel will challenge the integrity of the evidence. Evidence must be collected using forensically sound methods, chain of custody must be meticulously maintained, and the investigation must be conducted by or in coordination with law enforcement.
Civil investigations arise from disputes between private parties (contract breaches, employment disputes, intellectual property theft) or from regulatory enforcement actions that are civil rather than criminal in nature. Civil investigations still require strong evidence handling but may be conducted by private forensic firms rather than law enforcement.
Administrative investigations are internal disciplinary investigations conducted by an organisation to investigate employee misconduct. They typically do not involve law enforcement and are governed by HR policies and employment law. Even though administrative investigations are internal, they should be conducted with sound evidence handling procedures because they may escalate to criminal or civil proceedings.
Regulatory investigations are conducted by regulatory agencies (SEC, FTC, OCR, FCA) investigating compliance violations. The regulatory body sets the investigation standards and may require the organisation to preserve and produce specific data.
For the exam: the type of investigation determines who conducts it, what legal authority they have, what evidence standards apply, and what the consequences of findings are. Criminal investigations require the most rigorous standards.
Order of Volatility: What to Collect First
One of the most directly tested digital forensics concepts on the CISSP exam is the order of volatility — the principle that evidence should be collected in order from most volatile (most quickly lost) to least volatile.
The order of volatility from most to least volatile:
CPU registers and cache: contents are lost immediately when the system is shut down or the program completes. This is the most volatile data.
RAM (random access memory): contains running processes, active network connections, decrypted data, and potentially encryption keys and attacker tools. RAM contents are lost on shutdown. In modern investigations, RAM acquisition (memory forensics) is critical because malware may reside entirely in memory without touching disk.
Swap and virtual memory: page files and swap partitions contain data that has been paged out of RAM. More persistent than RAM but still volatile.
Running processes and network state: the list of running processes, open network connections, listening ports, and ARP cache. This information should be documented before any containment action that might affect it.
System clock and time: documenting the system clock's current time and its offset from accurate time is important for correlating events in the timeline.
Disk (local storage): hard drives and SSDs. Disk evidence is less volatile because it persists after shutdown, but it can still be modified or destroyed if the investigation is not prompt.
Remote and archived data: data on network shares, cloud storage, backup systems, and archival storage. This is the least volatile because it is stored remotely and persists independently of the local system.
For the exam: the order is: CPU registers/cache → RAM → swap → running processes/network state → system clock → disk → remote/archived. Collect the most volatile data first.
Chain of Custody: Documentation and Evidence Integrity
Chain of custody is the documented, unbroken record of the possession, transfer, and handling of evidence from the moment of collection through to its presentation in proceedings. A break in the chain of custody may render evidence inadmissible.
Chain of custody documentation for each piece of evidence includes: a unique identifier for the evidence item, description of the item (make, model, serial number, condition), date and time of collection, location of collection, name and signature of the person who collected it, hash value of digital evidence (MD5, SHA-256) taken immediately at collection, and a record of every transfer (who handed it to whom, when, and why).
Evidence must be stored in a secure, access-controlled evidence room with a log of all access. The evidence room should have limited access, surveillance cameras, and tamper-evident seals on evidence bags.
Hash verification is the cryptographic foundation of digital evidence integrity. When a forensic image of a disk is created, a hash of the original disk and a hash of the forensic image are both computed and documented. If the two hashes match, the image is a verified forensically sound copy. Any subsequent modification to the image would produce a different hash, providing cryptographic proof of tampering.
For the exam: chain of custody must be maintained from collection through presentation. Hash values provide cryptographic integrity verification. A broken chain of custody may make evidence inadmissible.
Forensic Tools and Techniques
The CISSP exam does not test specific tool names in depth, but candidates should understand the categories of forensic tools and what each does.
Disk imaging tools create bit-for-bit copies of storage media without modifying the original. Examples include FTK Imager and dd (Linux). A write blocker is hardware or software that prevents any writes to the evidence media during imaging, ensuring the original is not modified. Write blockers are essential for forensically sound disk imaging.
Memory acquisition tools capture the contents of RAM for analysis. Memory forensics can reveal running processes, network connections, encryption keys, and in-memory malware. Examples include Volatility Framework for memory analysis.
Network forensics involves capturing and analysing network traffic. Tools include Wireshark for packet capture and analysis, and NetFlow/IPFIX for traffic metadata analysis.
File system forensics examines file system structures to recover deleted files, examine file timestamps, and identify anomalies. Timestamps on files (creation, modification, access) can be manipulated by attackers (timestomping) to obscure activity, so forensic analysts must consider whether timestamps have been modified.
Artifacts by Type
Digital forensic evidence comes in different forms depending on its source.
Data artifacts are files, databases, and their contents: documents, images, executable files, configuration files, and database records. Data artifacts may contain evidence of the incident directly (a document exfiltrated by an insider) or may contain metadata that supports the investigation (file creation timestamps, author metadata).
Computer artifacts reside on the local system: registry keys (Windows), prefetch files, event logs, browser history, recently accessed files, and shellbag data. These artifacts can reveal what applications were run, what files were accessed, and what user actions were taken.
Network artifacts are evidence derived from network activity: firewall logs, DNS query logs, proxy logs, NetFlow records, and packet captures. Network artifacts can establish when and how a system communicated with external entities.
Mobile device artifacts include call logs, text messages, GPS history, application data, and authentication records. Mobile forensics requires specialised tools and techniques because mobile devices use proprietary operating systems with limited documentation.
Exam Tip
Order of volatility: CPU registers → cache → RAM → swap → disk → remote/archived. Collect most volatile first. Chain of custody must be maintained from collection through presentation — a break in the chain may make evidence inadmissible. Hash values (MD5, SHA-256) provide cryptographic proof that evidence has not been modified. Write blockers prevent modification of original evidence during imaging.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security Operations
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.