Domain 7 of 8 · Chapter 1 of 15

Investigations

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The forensic process: one repeatable pipeline, preserve before you analyze
  • Acquisition: order of volatility, write blockers, hashing, and imaging
  • Chain of custody, the five rules of evidence, and reporting

Artifact sources and how each is acquired forensically

DimensionHost / computerNetworkMobile device
Primary artifactsRAM, disk image, file metadata/timestamps, logs, registry/configPacket captures, NetFlow, firewall/proxy/DNS logsApp data, messages, location, call logs (usually encrypted)
Volatility profileRAM highest; disk durableMostly high: devices overwrite fast or don't store at allLive device; content changes continuously
First handling stepImage RAM live (if powered on), then write-block and image diskCapture live or pull from centralized logging immediatelyIsolate from network (airplane mode / Faraday bag) to block remote wipe
Integrity methodWrite blocker + hash of source and imageHash captured files; rely on tamper-evident log storageDocumented extraction; hash the extracted image
Key risk if mishandledBooting the original alters timestamps and pagefileVolatile data overwritten before captureRemote wipe or remote alteration erases the device

Decision tree

Consult mgmt + legal? do this before collecting Which evidence source? Yes Host powered on, volatile data in RAM? Network: capture live or pull from logging now Mobile: isolate first (airplane / Faraday) Host Network Mobile Image RAM live, in order of volatility Write-block + image disk, hash both copies Yes: RAM first No / then disk Always: maintain chain of custody

Cheat sheet

  • Forensics is one four-phase process: collection, examination, analysis, reporting
  • Consult management and legal before you collect anything
  • Preserve before you analyze: work on a verified copy, never the original
  • Collect in order of volatility: most ephemeral evidence first
  • Image RAM live before shutdown when volatile state holds the evidence
  • Acquire stored media through a write blocker so the original is never modified
  • A forensic image is a bit-for-bit copy, not just the visible files
  • Hash the source and the copy, confirm they match, and preserve the hash
  • Prefer SHA-256 over MD5/SHA-1 for evidence integrity
  • Chain of custody is the unbroken documented history of every handler
  • Evidence storage carries a higher bar than ordinary media storage
  • Preserve to the strictest standard that might plausibly apply
  • Memorize the five rules of evidence: authentic, accurate, complete, convincing, admissible
  • Lawfully collected evidence still fails if it is not admissible
  • Isolate a seized mobile device from the network before extraction
  • Network evidence is mostly volatile, so capture it live or from central logs fast
  • Documentation is a continuous discipline, not a final formality
  • Forensics preserves truth; incident response restores service

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response Whitepaper
  2. RFC 3227: Guidelines for Evidence Collection and Archiving (order of volatility) Whitepaper