Cyber Security Academy · Lesson

Evidence Collection and Chain of Custody

Learn forensically sound evidence collection, hashing, and maintaining chain of custody.

Why Evidence Matters

Digital evidence collected during incident response may be used in legal proceedings, HR actions, or regulatory reviews. Evidence must be collected, preserved, and documented following proper procedures to maintain its admissibility and integrity.

Types of Digital Evidence

Evidence categories:

Volatile: RAM contents, running processes, network connections — lost on reboot
Non-volatile: disk images, log files, database records
Network: packet captures, NetFlow records
Application: access logs, audit logs, emails

All lessons in this course

The IR Lifecycle: Prepare, Identify, Contain
Evidence Collection and Chain of Custody
Eradication, Recovery, and Lessons Learned
Writing an Incident Report

← Back to Cyber Security Academy