JT
JT Exams
Log inStart Free Trial
SecuritySecurity+CISSP

Digital Forensics Explained for Security+

When an incident occurs, the investigation that follows determines whether the attacker is identified, whether legal action is possible, and what actually happened. Digital forensics is the disciplined process of collecting, preserving, analyzing, and presenting digital evidence in a way that maintains its integrity and legal admissibility. Security+ tests the order of volatility (which evidence disappears fastest and must be collected first), the chain of custody, write blockers, and forensic imaging. Cutting corners in evidence collection can destroy evidence that would have identified the attacker or made prosecution impossible.

7 min
3 sections · 5 exam key points

Order of volatility and evidence collection

Digital evidence varies enormously in how long it persists. The order of volatility determines which evidence to collect first before it disappears. Registers, cache, and running processes in CPU and memory are gone the moment the system is powered off or reboots. Running network connections close in seconds if the system loses connectivity. Swap and virtual memory on disk disappears when the OS clears it. Disk data is the most durable, persisting until actively overwritten. Remote logs and archived data are the most durable of all.

The practical implication: capture live memory before taking a disk image. A forensic memory dump captures running processes, encryption keys loaded in RAM, active network connections, and malware that exists only in memory. Turning off the system first destroys all of this. For fileless malware that leaves no disk artifacts, the memory dump may be the only evidence.

The order from most volatile to least: CPU registers and cache, RAM and live processes, network connections, running OS state, disk contents, remote logging, archived backup data. Collect in this order without exception.

Chain of custody, imaging, and write blockers

Chain of custody is the unbroken documented record of who possessed, handled, or accessed evidence from the moment of collection through courtroom presentation. Every transfer of custody is logged with the date, time, reason, and identities of both parties. If the chain of custody is broken or unverifiable, a defense attorney can argue that the evidence could have been tampered with and have it excluded from court.

Forensic imaging creates a bit-for-bit copy of a storage device without changing a single bit on the original. You analyze the image, never the original. This preserves the original in its unmodified state for chain of custody purposes. Write blockers are hardware or software devices that physically prevent any write commands from reaching the original disk during imaging. Without a write blocker, simply connecting the drive to a forensic workstation can modify timestamps or journal entries on the original.

Hash verification confirms the image is an exact copy. Calculate a SHA-256 hash of both the original and the image. Matching hashes prove the image is identical to the original. Document the hash values in the case file as part of the chain of custody record.

How to choose the correct answer

Order of volatility from most to least: registers/CPU cache, RAM, network connections, disk, remote logs, backups. Always collect more volatile evidence first.

Write blocker: required before connecting any drive to prevent accidental modification of the original evidence.

Forensic image: bit-for-bit copy of original storage. Verify with matching hash values before and after imaging.

Chain of custody: document every hand the evidence passes through. A gap in documentation can make evidence inadmissible.

Live forensics: capturing evidence from a running system while it is still powered on, to preserve volatile data before shutdown.

Key exam facts — Security+ / CISSP

  • Order of volatility: CPU/RAM (most volatile) > Network connections > Disk > Remote logs (least volatile).
  • Collect most volatile evidence first. Memory dump before shutdown.
  • Write blocker: prevents write commands to original drive during imaging. Required for forensic integrity.
  • Forensic image: bit-for-bit copy. Hash before and after to verify integrity.
  • Chain of custody: unbroken documentation of evidence handling. Gap = potentially inadmissible.

Common exam traps

Powering off a compromised system immediately is the correct first response.

Powering off immediately destroys all volatile evidence: RAM contents, running processes, active network connections, and any malware existing only in memory. Capture volatile evidence before shutdown, unless the threat of ongoing damage from a live attack makes shutdown necessary to stop the bleeding.

You can analyze the original drive directly as long as you are careful.

Always analyze a forensic image, never the original. Analysis tools access files, modify access timestamps, and can alter the evidence in ways that are impossible to prove did not happen. The original must remain unmodified in secure storage as the authoritative copy.

Chain of custody applies only when the case will definitely go to court.

You cannot know at the start of an investigation whether it will result in legal proceedings. Maintain chain of custody for every investigation. Retroactively documenting custody after the fact is not accepted. If prosecution becomes necessary later, proper chain of custody from the beginning is essential.

Practice this topic

Security+practice questions

Test yourself on Digital Forensics

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Incident Response

Security+CISSP

SIEM & SOC

Security+CISSP

Malware & IOCs

Security+CISSP

Compliance Frameworks

Security+CISSP