Investigation Compliance and Evidence Handling

The Decision That Shapes Everything After

A security analyst discovers unauthorized access to a financial database at 2:00 AM. The logs show data exfiltration to an external IP address. Within the first thirty minutes, the decisions made about this incident will determine whether the evidence can support a criminal prosecution, whether it holds up in civil litigation, or whether it only justifies an internal disciplinary action.

The type of investigation you pursue dictates the standard of evidence you must meet. Get this wrong at the start, and months of forensic work may be inadmissible.

This module covers CISSP exam objective 7.1: understand and comply with investigations. ISC2 expects you to know the differences between investigation types, the rules governing evidence, and the forensic process that preserves evidentiary integrity from collection through courtroom presentation.

Investigation Types

Not every security incident becomes a criminal case. The type of investigation determines the burden of proof, the legal authority involved, and the procedures you must follow.

Administrative Investigations

Internal investigations conducted under organizational policy. An employee violates the acceptable use policy, a contractor accesses systems outside their scope, or a manager suspects timecard fraud. The burden of proof is the lowest — preponderance of evidence (more likely than not). The investigator is typically internal security, HR, or an ethics team. No court involvement is required, though findings may lead to termination, sanctions, or referral to law enforcement.

Criminal Investigations

Conducted by law enforcement with the goal of prosecution. The burden of proof is beyond a reasonable doubt — the highest standard. Evidence handling must be flawless. Chain of custody breaks, improper collection, or contaminated evidence can render an entire case unusable. Organizations typically support criminal investigations by preserving evidence and cooperating with law enforcement, but do not lead them.

Civil Investigations

One party sues another — breach of contract, intellectual property theft, negligence. The burden of proof is preponderance of evidence. Civil investigations often involve e-discovery obligations, where both parties must preserve and produce relevant electronic records. Failure to preserve evidence once litigation is reasonably anticipated (a litigation hold) can result in sanctions or adverse inference — the court assumes the destroyed evidence was unfavorable.

Regulatory Investigations

Conducted by regulatory bodies (SEC, HIPAA OCR, GDPR supervisory authorities, PCI QSAs). The standard of proof varies by jurisdiction and regulation but generally falls between civil and criminal standards. Organizations must often produce records, demonstrate compliance, and cooperate with regulators under legal obligation. Obstruction or failure to preserve records can result in fines, consent decrees, or loss of operating licenses.

Evidence Types

Evidence presented in legal proceedings falls into recognized categories. Understanding these categories helps you evaluate what your forensic artifacts actually prove.

• Real evidence (physical) — Tangible objects: a hard drive, a printed document, a damaged server. Can be examined directly by the court.
• Documentary evidence — Written or recorded information: log files, emails, contracts, audit reports. Subject to the best evidence rule, which generally requires the original document rather than a copy (with exceptions for electronic records where copies are bit-for-bit identical).
• Testimonial evidence — Statements made by witnesses under oath. Expert witnesses (forensic analysts, security professionals) may offer opinions; lay witnesses generally testify only to facts they observed. Testimonial evidence is subject to cross-examination and challenges to credibility.
• Demonstrative evidence — Visual aids that help explain other evidence: network diagrams, timeline reconstructions, forensic tool output. Demonstrative evidence does not stand alone — it supports and clarifies other evidence types.

For the exam, also know these evidence concepts:

• Hearsay — Second-hand statements offered for the truth of the matter. Generally inadmissible, with notable exceptions for business records kept in the ordinary course of business (which covers most system logs).
• Best evidence rule — Originals are preferred over copies. For digital evidence, a verified forensic image (bit-for-bit copy with matching hash) is treated as equivalent to the original.
• Corroborative evidence — Supporting evidence that strengthens other evidence. A single log entry is weaker than the same event confirmed by network captures, IDS alerts, and authentication records.

Chain of Custody

Chain of custody is the documented, unbroken record of who handled evidence, when, where, and what they did with it. Every transfer, every access, every storage location change must be logged.

A chain of custody record includes:

• Who collected the evidence (name, title, organization)
• When and where it was collected
• How it was transported and stored
• Every person who accessed or transferred the evidence
• The condition of the evidence at each transfer
• Tamper-evident seals and integrity verification (hash values for digital evidence)

A single undocumented gap in the chain of custody can render evidence inadmissible. The opposing party will argue that the evidence could have been altered, planted, or contaminated during the gap. This is why forensic examiners compute hash values (SHA-256) at the moment of collection and verify those hashes before every examination.

The Digital Forensics Process

Digital forensics follows a structured process designed to produce evidence that is admissible and defensible. The exact terminology varies by framework (NIST, ISO 27037, SWGDE), but the phases are consistent.

1. Identification — Determine what evidence exists and where it resides. This includes volatile data (RAM, running processes, network connections) and non-volatile data (disk images, logs, backups). Volatile evidence must be collected first because it disappears when systems are powered off.
2. Preservation — Protect evidence from alteration or destruction. Issue litigation holds, isolate affected systems, and prevent automatic processes (log rotation, temp file cleanup) from overwriting relevant data.
3. Collection — Acquire evidence using forensically sound methods. Create bit-for-bit images of storage media using write blockers. Capture volatile data with validated tools. Document every action. Compute and record cryptographic hashes.
4. Examination — Process the collected data to extract relevant information. This is technical work: recovering deleted files, parsing log entries, reconstructing timelines, analyzing malware artifacts.
5. Analysis — Interpret the examined data to draw conclusions. What happened, when, how, and who was involved? Analysis connects technical findings to the investigative questions.
6. Presentation — Communicate findings to the appropriate audience: management, legal counsel, law enforcement, regulators, or a court. Findings must be presented clearly, with supporting documentation and methodology explained in terms the audience can understand.

The order of volatility matters for collection. Collect the most volatile evidence first:

1. CPU registers and cache
2. RAM contents (running processes, network connections)
3. Swap space and temporary files
4. Disk data (file systems, logs)
5. Remote logging and monitoring data
6. Backup media and archival data

E-Discovery

E-discovery is the process of identifying, preserving, collecting, and producing electronically stored information (ESI) in response to legal proceedings. In the United States, the Federal Rules of Civil Procedure (FRCP) govern e-discovery obligations.

Key e-discovery concepts for the exam:

• Litigation hold (legal hold) — A directive to preserve all potentially relevant ESI when litigation is reasonably anticipated. This overrides normal retention and destruction schedules. Failing to issue or enforce a litigation hold is spoliation.
• Proportionality — Discovery obligations must be proportional to the case. A $50,000 contract dispute does not justify $2 million in forensic data recovery.
• Metadata preservation — ESI must be produced with its metadata intact. Printing emails and producing paper copies destroys metadata (timestamps, routing headers, modification dates) and may be deemed insufficient.
• Spoliation — Intentional or negligent destruction of evidence after a preservation obligation exists. Courts can impose sanctions, adverse inferences, or default judgments for spoliation.

International Investigation Considerations

Investigations that cross national borders introduce jurisdictional challenges that do not exist in domestic cases.

• Data sovereignty — Evidence stored in another country may be subject to that country’s data protection laws. A U.S. subpoena may not compel production of data stored in Germany if GDPR restrictions apply.
• Mutual Legal Assistance Treaties (MLATs) — Formal agreements between countries for sharing evidence in criminal investigations. MLATs are slow — processing can take months to years.
• CLOUD Act (U.S.) — Allows U.S. law enforcement to compel U.S.-based technology companies to produce data regardless of where it is stored, subject to qualifying agreements with other countries.
• Privacy restrictions — Employee monitoring and investigation practices that are standard in one country may violate privacy laws in another. European works councils, for example, may need to approve investigation procedures before they begin.

Pattern Recognition

Investigation and evidence questions on the CISSP follow predictable structures:

• Which investigation type? — Read the scenario for who is investigating and what outcome is sought. Law enforcement involvement signals criminal. Internal HR signals administrative. Regulatory body signals regulatory.
• Evidence admissibility — The answer almost always hinges on chain of custody or proper collection methodology. If the chain was broken, the evidence is compromised regardless of what it shows.
• First action in forensics — Preserve volatile evidence before it disappears. Do not power off systems until volatile data is captured. Do not begin analysis before creating verified forensic images.
• E-discovery trigger — Litigation holds must begin when litigation is reasonably anticipated, not when a lawsuit is formally filed.

Trap Patterns

Watch for these wrong answers:

• “Power off the compromised system immediately” — This destroys volatile evidence (RAM, running processes, active network connections). The correct first step is to capture volatile data.
• “Make a copy of the files” — File-level copies are not forensically sound. A bit-for-bit image of the entire storage medium is required, created with a write blocker and verified with cryptographic hashes.
• “The security team should lead the criminal investigation” — Criminal investigations are led by law enforcement. The security team preserves evidence and cooperates, but does not direct the criminal process.
• “Administrative investigations require beyond a reasonable doubt” — Administrative investigations use preponderance of evidence. Only criminal proceedings require beyond a reasonable doubt.

Scenario Practice

Question 1

A financial institution discovers that an employee has been transferring funds to a personal account. The security team has log evidence, email records, and database transaction records. Management wants to terminate the employee and pursue criminal charges.

What standard of evidence must the forensic team meet?

A. Substantial evidence, which requires a reasonable basis for the findings
B. Preponderance of evidence for the termination and beyond a reasonable doubt for criminal charges
C. Beyond a reasonable doubt for both actions since fraud is involved
D. Clear and convincing evidence, which is the standard for financial crimes

Question 2

During a forensic investigation, an analyst creates a disk image of a suspect’s workstation. The analyst records the SHA-256 hash of the original drive and the image. Three weeks later, when the analyst begins examination, the hash of the image no longer matches the original hash.

What is the implication?

A. The original drive has been altered since the image was created
B. The forensic image has been modified or corrupted, and its evidentiary integrity is compromised
C. SHA-256 hash collisions are common and the mismatch is expected
D. The analyst should create a new image and proceed with the examination

Question 3

A multinational company discovers that an employee in its German office has been exfiltrating trade secrets to a competitor. The U.S. headquarters wants to immediately image the employee’s workstation and review their email history for the past two years.

What factor must be addressed FIRST?

A. The forensic team must obtain a U.S. court order before imaging the workstation
B. European data protection laws and the local works council may restrict employee monitoring and investigation activities
C. The company should wait for the competitor to file a civil lawsuit before beginning the investigation
D. Trade secret theft is only a criminal matter and must be referred to German law enforcement

Key Takeaway

Evidence is only as strong as the process that produced it. The technical quality of your forensic analysis is irrelevant if the evidence was collected improperly, the chain of custody was broken, or the investigation type was misidentified. As a security operations manager, your role is to establish investigation procedures before incidents occur — defining when to involve law enforcement, how to preserve volatile evidence, who is authorized to handle forensic media, and how chain of custody documentation is maintained. The exam will test whether you can match the right investigation type to a scenario and identify where evidence handling failures compromise the outcome.