Digital Forensics
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.
Included in this chapter:
- Why cloud forensics is different
- The standards: NIST SP 800-86 and the ISO/IEC family
- Order of volatility and acquiring ephemeral cloud evidence
- Chain of custody and evidence management across the provider boundary
- Exam-pattern recognition: how 5.4 items are written
Forensic standards and where they apply
| Standard | Scope | Forensic phase it governs | Cloud relevance |
|---|---|---|---|
| NIST SP 800-86 | Integrating forensics into incident response | All four: collection, examination, analysis, reporting | The end-to-end process model investigators run on cloud artifacts |
| ISO/IEC 27037 | Handling digital evidence | Identification, collection, acquisition, preservation | Defines how to acquire and preserve virtual artifacts defensibly |
| ISO/IEC 27041 | Investigation assurance | Suitability and validation of the method | Shows the chosen cloud-collection method is fit for purpose |
| ISO/IEC 27042 | Analysis and interpretation | Examination and analysis | Guides interpreting acquired cloud evidence consistently |
| ISO/IEC 27050 | Electronic discovery (eDiscovery) | Legal preservation and production | Governs producing cloud-stored ESI for litigation |
| RFC 3227 | Evidence collection and archiving | Collection ordering | Sets the order-of-volatility sequence for perishable cloud data |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- CSA Security Guidance for Critical Areas of Focus in Cloud Computing
- NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response Whitepaper
- NIST SP 800-101 Rev. 1 — Guidelines on Mobile Device Forensics Whitepaper
- RFC 3227 — Guidelines for Evidence Collection and Archiving Whitepaper