Investigations
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- The forensic process: one repeatable pipeline, preserve before you analyze
- Acquisition: order of volatility, write blockers, hashing, and imaging
- Chain of custody, the five rules of evidence, and reporting
Artifact sources and how each is acquired forensically
| Dimension | Host / computer | Network | Mobile device |
|---|---|---|---|
| Primary artifacts | RAM, disk image, file metadata/timestamps, logs, registry/config | Packet captures, NetFlow, firewall/proxy/DNS logs | App data, messages, location, call logs (usually encrypted) |
| Volatility profile | RAM highest; disk durable | Mostly high: devices overwrite fast or don't store at all | Live device; content changes continuously |
| First handling step | Image RAM live (if powered on), then write-block and image disk | Capture live or pull from centralized logging immediately | Isolate from network (airplane mode / Faraday bag) to block remote wipe |
| Integrity method | Write blocker + hash of source and image | Hash captured files; rely on tamper-evident log storage | Documented extraction; hash the extracted image |
| Key risk if mishandled | Booting the original alters timestamps and pagefile | Volatile data overwritten before capture | Remote wipe or remote alteration erases the device |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.