Investigation Types

What the Exam Is Really Testing

"What type of investigation is this?"

That is the first question you need to answer in any incident scenario on the CISSP exam. Not "what tool should we use" or "how do we contain it." The type of investigation determines who leads it, what standard of proof applies, how evidence must be handled, and what the organization can and cannot do on its own.

Get the investigation type wrong, and every subsequent decision — evidence collection, notification, legal involvement — follows the wrong path.

The exam tests whether you can classify an investigation correctly and understand the procedural consequences of that classification.

The Five Investigation Types

Administrative investigations are internal matters. An employee violates an acceptable use policy. A contractor accesses files outside their scope. A department fails an internal audit. These are handled within the organization's authority. The standard of proof is the lowest — typically substantial evidence or preponderance of the evidence. No law enforcement involvement is required. The organization controls the process, the timeline, and the outcome (which may include termination, reprimand, or policy revision).

Civil investigations arise from disputes between parties. One company sues another for breach of a data sharing agreement. A customer seeks damages after a breach. An employee files a wrongful termination claim tied to a security incident. The standard of proof is preponderance of the evidence — the claim must be more likely true than not. Discovery rules apply, meaning both parties may be compelled to produce electronic evidence. E-discovery and litigation holds become relevant.

Criminal investigations involve violations of criminal law. Unauthorized access under the CFAA, theft of trade secrets, ransomware attacks, fraud. These require law enforcement involvement. The standard of proof is beyond a reasonable doubt — the highest bar. Evidence handling must be meticulous because it will face scrutiny in court. The organization does not lead a criminal investigation — law enforcement does. The organization's role is to preserve evidence and cooperate.

Regulatory investigations are conducted by government agencies enforcing their regulations. HIPAA audits by HHS, SEC inquiries into cybersecurity disclosures, FTC investigations into deceptive data practices. The standard varies by agency but is typically substantial evidence. The organization must comply with information requests, and obstruction can escalate consequences significantly.

Industry standards investigations involve compliance with non-governmental frameworks. PCI DSS assessments after a cardholder data breach, SWIFT Customer Security Programme reviews, SOC 2 audit findings. These are driven by contractual obligations rather than law. The "investigation" is often a formal assessment conducted by a Qualified Security Assessor (QSA) or similar authorized auditor.

Evidence Types

Regardless of investigation type, evidence falls into four categories:

Real evidence (physical evidence) — Tangible objects. A damaged hard drive, a printed document, a USB device found at the scene. Can be directly examined by the court.

Documentary evidence — Written or recorded information. Logs, contracts, emails, policies, reports. Subject to the best evidence rule, which generally requires the original document rather than a copy (with exceptions for electronic records under the Federal Rules of Evidence).

Testimonial evidence — Statements made under oath by witnesses. Expert witnesses provide opinion testimony based on specialized knowledge (a forensic analyst explaining log analysis). Lay witnesses testify to facts they directly observed. Hearsay — testimony about what someone else said — is generally inadmissible with specific exceptions.

Demonstrative evidence — Visual aids that help explain other evidence. Network diagrams, timeline reconstructions, simulations of an attack sequence. Not evidence of facts themselves, but tools to help a judge or jury understand the facts.

Evidence Handling and Admissibility

Evidence that is improperly collected, stored, or documented may be ruled inadmissible. Three principles govern evidence handling:

Chain of custody — A documented, unbroken record of who possessed the evidence, when, and what they did with it. Every transfer must be logged. Every access must be documented. Gaps in the chain allow opposing counsel to argue the evidence was tampered with. For digital evidence, this includes hash values taken at the time of acquisition and verified at each transfer.

Admissibility — Evidence must be relevant (related to the case), reliable (collected and preserved properly), and legally obtained (not through unreasonable search or violation of rights). For digital evidence, authentication is also required — proof that the evidence is what it purports to be.

Best evidence rule — Courts prefer original documents. For digital evidence, a forensically sound bit-for-bit copy verified by hash comparison is treated as equivalent to the original. Working from copies while preserving the original is standard forensic practice.

One additional concept the exam tests: due care vs. due diligence in evidence preservation. Due care means taking reasonable steps to protect evidence (not wiping a drive). Due diligence means actively verifying those steps are followed (confirming the forensic image hash matches the source).

Forensic Investigation Standards

Forensic work follows a structured process:

1. Identification — Determine what evidence exists and where it is located. Volatile data (RAM, running processes, network connections) must be identified and prioritized because it disappears when systems are powered off.
2. Preservation — Protect evidence from alteration. Create forensic images. Document hash values. Establish chain of custody. Use write blockers for storage media.
3. Collection — Acquire evidence in a forensically sound manner. Follow the order of volatility: registers, cache, RAM, disk, remote logs, archival media. Capture volatile data first.
4. Examination — Process collected data to extract relevant information. This may involve file carving, timeline analysis, log correlation, and artifact recovery.
5. Analysis — Interpret the processed data to draw conclusions. Reconstruct events, identify actors, determine scope.
6. Reporting — Document findings in a manner appropriate to the audience. Technical reports for internal teams, formal reports for legal proceedings, executive summaries for leadership.

The order of volatility is heavily tested. RAM contents are lost on power-off. Disk contents persist but may be overwritten. Network connection data is transient. Always capture the most volatile data first.

Pattern Recognition

When an investigation scenario appears:

1. Classify the investigation type — is this administrative, civil, criminal, regulatory, or industry?
2. Identify the burden of proof — preponderance (civil/admin), beyond reasonable doubt (criminal), or substantial evidence (regulatory)?
3. Determine who leads — internal team (admin), attorneys (civil), law enforcement (criminal), regulators (regulatory), or assessors (industry)?
4. Check evidence handling requirements — criminal investigations demand the strictest chain of custody; administrative investigations have more flexibility.
5. Consider notification obligations — criminal matters may require law enforcement notification; regulatory matters may require agency notification.

If the scenario involves a crime (unauthorized access, theft, fraud), law enforcement must be involved. The organization does not conduct its own criminal investigation. It preserves evidence and cooperates.

Trap Patterns

• Conducting a criminal investigation internally — Organizations preserve evidence and cooperate with law enforcement. They do not prosecute crimes. If the answer suggests the security team should "investigate the criminal activity," that is usually wrong.
• Confusing burden of proof standards — Preponderance of the evidence (51% likely) is civil. Beyond a reasonable doubt (near certainty) is criminal. The exam uses these phrases as distractor anchors.
• Ignoring volatility order — If a question asks what to collect first, the answer is the most volatile data. RAM before disk. Running processes before archived logs. Power off is evidence destruction for volatile data.
• Breaking chain of custody — If an answer choice involves moving evidence without documentation, allowing unauthorized access, or failing to verify integrity, that option is wrong regardless of how operationally efficient it sounds.
• Treating all investigations the same — An administrative investigation for policy violation does not require the same evidence rigor as a criminal prosecution. But if there is any possibility the matter could escalate to criminal, handle evidence as if it will go to court.

Scenario Practice

Question 1

A security analyst discovers that an employee has been exfiltrating customer records to a personal cloud storage account. The data includes financial information from over 10,000 customers.

What should the organization do FIRST?

A. Terminate the employee immediately and revoke all access
B. Preserve evidence and contact law enforcement
C. Conduct a full internal forensic investigation before taking any action
D. Notify all affected customers within 24 hours

Question 2

During an incident response, a junior analyst copies suspicious log files to a USB drive to analyze on their personal workstation. No hash values were taken before or after the copy.

What is the PRIMARY concern with this action?

A. The USB drive may contain malware that infects the workstation
B. The chain of custody has been compromised, potentially making the evidence inadmissible
C. The analyst violated the acceptable use policy for personal devices
D. The log files may be too large for the USB drive capacity

Question 3

A healthcare organization receives a letter from HHS stating that a compliance review of their HIPAA security practices will begin in 30 days.

What type of investigation is this, and what is the appropriate response?

A. Criminal investigation; contact law enforcement for guidance
B. Administrative investigation; handle internally without external involvement
C. Regulatory investigation; cooperate fully and prepare documentation of security controls
D. Civil investigation; retain outside counsel to negotiate the scope

Key Takeaway

Investigation type determines everything that follows. Before you think about tools, techniques, or timelines, classify the investigation:

• Administrative — internal, lowest burden, you control the process
• Civil — between parties, preponderance standard, e-discovery applies
• Criminal — law enforcement leads, highest burden, preserve and cooperate
• Regulatory — agency-driven, cooperate and document
• Industry — contractual, assessor-driven, demonstrate compliance

And when in doubt about evidence handling, treat it as if it will end up in court. You can always relax standards later. You cannot retroactively fix a broken chain of custody.