Covers the technical procedures and environmental controls required to preserve, collect, transport, and store physical and digital evidence so that integrity, provenance, and legal admissibility are maintained. Key areas include scene preservation and physical security, scene isolation, photography and documentation of original condition, and secure collection procedures that prevent contamination. For digital evidence this includes device isolation from networks to prevent remote modification, decisions and ordering for volatile data capture versus static disk imaging, use of hardware write blocking and validated forensic imaging tools, and verification of copies using cryptographic hash functions or checksums. It also covers hardware handling and preservation such as anti static measures, tamper evident seals, appropriate packaging, transport security, and storage controls for temperature and humidity. Candidates should be able to describe chain of custody practices and logging for every handling step, step by step processes for seizing devices, preserving metadata, creating verifiable forensic copies, preventing cross contamination between media and systems, and maintaining integrity across multiple custodians and locations. The topic encompasses preservation techniques for different evidence types including computer systems, servers, mobile and wireless devices, network appliances and logs, and removable media, and requires explaining the technical rationale behind each practice.
MediumTechnical
67 practiced
You are asked to assist remotely with a laptop that remains connected to the corporate network and is suspected of exfiltration. Describe technical and legal steps to isolate the device remotely to prevent remote modification or wipes, capture volatile data (RAM, active network connections, credentials in memory) remotely if possible, and document the actions taken for chain-of-custody.
Sample Answer
**Situation & legal authorization**- Immediately obtain written authorization: incident response approval + legal or law enforcement preservation order if evidence may be used in prosecution.- Record who authorized, scope, and timeframe before taking intrusive steps.**Technical isolation (remote, non-destructive first)**- Use network controls to quarantine the host (preferred): place device into a quarantine VLAN via NAC (Cisco ISE), or apply firewall ACLs on edge/switch to block outbound connections except to IR tools/management.- If NAC/quarantine unavailable, apply host-level network block via management plane (Intune/MDM, Jamf) or next‑gen firewall rule tied to IP/MAC.- Disable remote management channels (RDP/WinRM/SSH) via centralized management only after authorization.- Do NOT reboot, shut down, or reimage the device unless authorized (volatile data loss).**Volatile data acquisition (live response, minimize modification)**- Use EDR live response capabilities (CrowdStrike Live Response, Carbon Black Live Response, Microsoft Defender Live Response) to run approved remote collection commands and scripts under chain‑of‑custody.- Capture RAM if available via remote agent: request agent to run an in‑place memory dump (e.g., built‑in EDR memory capture, or run procdump /accepteula -ma lsass.exe only with legal approval). If agent cannot capture memory, consider remote forensic appliance tunnel to run DumpIt or Belkasoft Live RAM capture via secure channel.- Record active network connections and listening ports: netstat -ano, Get-NetTCPConnection, and capture packet traffic via remote tcpdump/WinPcap saved to centralized collector.- Export process list, loaded drivers, registry hives (SAM, SYSTEM, SECURITY) via remote commands, and copy files to write‑protected evidence repository.- Prefer read-only operations and use tools that log hashes and command output.**Prevent remote modification/wipes**- Revoke non-essential credentials and disable remote accounts centrally (AD account disable, revoke OAuth sessions) but preserve local admin account integrity if needed for forensic access — document every change.- Isolate networking to prevent external controllers (C2); keep management paths open for controlled acquisition.- Snapshot VM (if applicable) at hypervisor level to preserve state without altering guest.**Documentation & chain-of-custody**- Time-stamped log of every command, by whom, justification, and authorization. Record session recordings/screenshots and save hashes of collected artifacts (SHA256).- Generate evidence bags (digital), include source IP, MAC, hostname, time, collector tool/version, operator name.- Transfer artifacts over encrypted channel to forensic lab; verify hashes on receipt; store logs in SIEM and case management.- Produce an evidence timeline and signed custody transfer forms for each handoff.**Trade-offs & notes**- Memory and live captures risk modifying ephemeral state — balance evidentiary value vs alteration and document changes.- Always coordinate with legal/LE for actions that may destroy or alter privileged data (LSASS dumps, credential resets).
MediumTechnical
83 practiced
Compare live acquisition, logical extraction, physical extraction and chip-off methods for mobile device forensics. For each method describe the preservation steps, typical tools, types of data recovered (live RAM, app data, deleted data), limitations (rooting, secure enclave, encryption), and how metadata and deleted items are affected.
Sample Answer
**Overview**As a digital forensic examiner I weigh invasiveness, data types, and legal constraints. Below I compare live acquisition, logical extraction, physical extraction, and chip-off across preservation, tools, recoverable data, limitations, and effects on metadata/deleted items.**1) Live acquisition**- Preservation: Photograph device state, enable airplane mode, preserve power, document chain-of-custody; avoid rebooting if unlocked.- Tools: Cellebrite UFED, Magnet AXIOM, ADB (Android), iOS diagnostics with trusted tools.- Data recovered: Live RAM, running processes, open network connections, volatile app data, unlocked keys.- Limitations: Requires unlocked device or exploit; secure enclave keys usually inaccessible; volatile data lost on power-off.- Metadata/deleted: Metadata current; deleted items not generally recoverable unless artifacts in memory.**2) Logical extraction**- Preservation: Forensically image via vendor API/backup interface, hash outputs, maintain original.- Tools: Cellebrite UFED, Oxygen Forensic, iTunes/iCloud backups (preserved with care).- Data recovered: File system-level app data, contacts, SMS, call logs, some app databases.- Limitations: No deleted file recovery, limited to accessible APIs; encryption or locked backups block extraction.- Metadata/deleted: Timestamps preserved as provided; deleted records typically absent.**3) Physical extraction**- Preservation: Isolate device, attempt non-destructive bootloader access (forensically sound), document any rooting.- Tools: JTAG, bootloader dump tools, Cellebrite Physical Analyzer, open-source dd over USB.- Data recovered: Full raw image of flash, deleted data, slack space, deeper system partitions.- Limitations: May require rooting or exploits; modern devices with hardware encryption (file-based or full-disk) and secure enclave can prevent access; risk to firmware integrity.- Metadata/deleted: Timestamps and recoverable deleted items present in raw image; deleted data can be carved but timestamps may be partially lost.**4) Chip-off**- Preservation: Remove storage chip in controlled lab, document desoldering, maintain ESD controls, chain-of-custody strict.- Tools: Hot-air station, microscope, NAND readers, Flash Extractor, vendor-specific decapsulation.- Data recovered: Raw flash including remnant and deleted data, even from damaged devices.- Limitations: Destructive risk, wear-leveling and encryption (hardware-backed keys) complicate reconstruction; secure element keys unrecoverable.- Metadata/deleted: Raw NAND allows maximum recovery of deleted items; metadata may be fragmented or altered by wear-leveling—reconstruction required and timestamps can be inconsistent.**Summary trade-offs**- Live: best for volatile data; minimal depth.- Logical: safest, fastest; limited depth.- Physical: deep recovery including deleted artifacts; riskier and may hit encryption.- Chip-off: last resort for physical recovery/damaged devices; highest technical/legal risk.I document every action, justify chosen method in reports, and ensure defensibility for court.
EasyTechnical
87 practiced
Explain the concept of chain of custody for digital evidence in detail. Describe the minimum required elements to maintain legal admissibility from seizure through storage and transfer, including unique identifiers, who signs each step, timestamps and time formats, location records, condition notes, and how to record unexpected transfers or breaks in custody. Provide a short example entry for a laptop seizure and the rationale for each element.
Sample Answer
**Definition & purpose**Chain of custody (CoC) is the documented, chronological record of evidence handling from seizure to disposition. It proves integrity, accountability, and admissibility by showing who had the item, when, where, and under what condition.**Minimum required elements**- Unique identifier: evidence tag/barcode/URN (e.g., CASE2026-045-LPTP-01).- Item description: make/model/serial, accessories, power state.- Seizure date/time: use UTC ISO 8601 (e.g., 2026-03-02T15:30:00Z).- Seizure location: physical address + GPS or room ID.- Seizing officer/examiner: printed name, badge/employee ID, signature.- Initial condition notes: powering state, stickers, damage, whether imaged on-scene.- Packaging details: tamper-evident bag/label ID.- Transfer records: each transfer entry with from/to, reason, timestamp, signatures.- Storage location: secured evidence locker ID, responsible custodian.- Chain breaks/unexpected transfers: document who authorized, why, approval record, corrective steps.- Retention and disposition: final disposition date and method.**Time formats & timestamps**- Use ISO 8601 UTC: YYYY-MM-DDThh:mm:ssZ for consistency and court acceptance.- Record both local time if required plus UTC offset.**Recording unexpected events**- Immediately annotate entry as “Break in custody” with time, responsible person, justification, supervisory approval, and corrective actions (e.g., reseal, photo).**Short example entry — laptop seizure**- Evidence ID: CASE2026-045-LPTP-01- Item: Dell XPS 13, S/N ABC12345, charger present- Seized: 2026-03-02T15:30:00Z- Location: 401 Main St, Apt 3B (GPS 40.7128N, -74.0060W)- Seized by: Det. A. Rivera, Badge 4789 — signature A.Rivera- Condition: Powered on, screen at login prompt, no visible damage; photographed (Photo IDs P1-P3)- Packaging: Placed in tamper-evident evidence bag TE-2026-78, sealed 2026-03-02T15:42:00Z by A. Rivera- Stored: Evidence Locker E-LK-12 (Access restricted)- Transfer: 2026-03-03T09:00:00Z — Transferred to Forensic Lab by A. Rivera -> Exam. J. Kim (EmpID 3321). Signatures: A.Rivera / J.Kim- Notes: Imaging performed 2026-03-03T10:15:00Z; image SHA256 hash recorded.Rationale for each element is to create an unbroken, verifiable audit trail tying the physical item to digital images and analysis, demonstrating continuity and preventing challenges about tampering or substitution in court.
MediumTechnical
79 practiced
You imaged a drive with ForensicToolA and later re-imaged the same drive with ForensicToolB. The reported hashes differ. Describe a systematic approach to identify and resolve the discrepancy: steps to validate each tool, check write-blocking, examine read errors/bad sectors, compare raw image sizes, reconstruct sector-level differences, and document your findings for legal review.
Sample Answer
**Approach overview**I would follow a methodical, documented workflow: validate tools and environment, confirm imaging conditions, isolate differences at sector level, remediate if possible, and produce a clear legal-ready report.**Step 1 — Immediate containment & documentation**- Record case number, device serial, make/model, connection method, timestamps, examiner, tool names/versions, and any error messages.- Preserve both image files and original device (do not modify).**Step 2 — Validate each tool**- Re-run each tool on a known test device (golden image) to verify expected hash outputs.- Confirm hashing algorithm (MD5/SHA1/SHA256) and whether tool computes during or after imaging.**Step 3 — Check write-blocking and hardware**- Verify hardware write-blocker presence and model; test with write-protection verification utility.- Inspect connection chain (cables, adapters, USB bridges) for devices known to remap sectors (e.g., USB-SATA bridges).**Step 4 — Examine read errors / bad sectors**- Review imaging logs for read errors, CRC failures, SMART attributes.- If errors occurred, re-image using ddrescue or dcfldd with bad-sector handling, producing a mapfile.**Step 5 — Compare raw image properties**- Compare file sizes, partition offsets, and metadata (use ftkimager info, ewfinfo, or sleuthkit mmls).- Use tools: sha256sum, md5sum; use ewf-tools for E01 metadata.**Step 6 — Reconstruct sector-level differences**- Use cmp or hd to find first differing sector: cmp -l imageA.raw imageB.raw- Extract differing sectors with dd: dd if=image.raw bs=512 skip=SECTOR count=1 | xxd- Correlate to physical LBA, partition table, or filesystem structures to see if differences are padding, timestamps, or damaged sectors.**Step 7 — Root-cause and remediation**- If a read error caused different fills (e.g., tool A zero-filled errors, tool B preserved garbage), re-image with controlled parameters and capture error map.- If tool behavior differs (e.g., E01 compression/metadata differences), recreate consistent settings.**Step 8 — Reporting for legal review**- Produce a timeline, chain-of-custody, raw and validated hashes for all images, tool configs, logs, SMART and bad-sector reports, the sector-diff output, and remediation steps taken.- State conclusions: whether discrepancy affects evidentiary content and recommend which image(s) are for analysis and court exhibit, with justification.Example commands (for reference)- sha256sum imageA.raw imageB.raw- cmp -l imageA.raw imageB.raw | head- dd if=imageA.raw of=sector.bin bs=512 skip=12345 count=1- ddrescue -n /dev/sdx image.rescued image.mapThis systematic, reproducible approach ensures technical clarity and defensible documentation for legal proceedings.
HardSystem Design
83 practiced
Design a chain-of-custody tracking system intended for multi-agency forensic collaboration across jurisdictions. Define the key data model fields (evidence ID, description, custody events, signer identity, geo/time stamps, hash values), authentication and authorization model, offline/air-gapped transfer handling, append-only tamper-evident logs, APIs for agency integration, and approaches to legal and privacy constraints.
Sample Answer
**Context & goals**As a digital forensic examiner I need an auditable, tamper-evident chain-of-custody (CoC) system that supports multi‑agency evidence transfer, court-grade provenance, offline handling, and strict privacy controls.**Key data model (per evidence record)**- evidence_id (UUID v4)- title, description, case_id, origin_agent_id- evidence_type, device_meta (hashes of raw image, sector offsets)- custody_events[] (ordered): {event_id, prev_event_hash, action_type (collect/transfer/analysis/return), actor_id, actor_role, actor_signature, from_agency, to_agency, physical_location (lat,long + location_id), timestamp (RFC3339), transport_mode, chain_reason}- content_hashes: {md5, sha1, sha256}, image_manifest (block hashes)- tamper_flag, retention_policy_id, legal_hold_ids- audit_log_pointer (append-only ledger index / blockchain tx id)**Authentication & authorization**- Strong PKI: X.509 per-agent certificates + HSM-backed private keys for signing events- Mutual TLS for API calls; OAuth2 with JWT scoped tokens for session/automation- RBAC + ABAC: roles (examiner, custodian, prosecutor) + attributes (jurisdiction, case clearance)- Multi-party approval flows for cross-jurisdiction transfers (N-of-M signatures)**Append-only tamper-evident logs**- Immutable ledger: write-once event store (WORM) persisted to local immutable storage + periodic anchoring to a permissioned blockchain or Merkle-root published to multiple participating agencies- Each custody_event includes prev_event_hash and signer signature; ledger verifies chain integrity**Offline / air-gapped handling**- Export signed, encrypted evidence manifest (JSON-LD) + content hashes on tamper-evident media (hardware-signed USB / secure SD card)- Manual transfer workflow: QR-coded manifest, human-readable printout, dual-signature receipt; upon re-ingest, automated verification of signatures and hashes; record GPS/time of re-ingest with attestations- Use ephemeral one-time tokens and courier receipts recorded as custody_events**APIs for agency integration**- REST + gRPC endpoints: CreateEvidence, AddCustodyEvent, QueryEvidence, VerifyChain, ExportManifest- Webhooks for cross-agency notifications; schema using JSON-LD and W3C Verifiable Credentials for signatures- Rate-limited, signed requests; schema versioning; sandbox for onboarding**Legal & privacy**- Data minimization: store pointers and hashes, not raw content unless required; encryption-at-rest (AES-256) and envelope encryption per-agency key- Jurisdictional access controls, data residency metadata, and court-order workflow for cross-jurisdiction access- Audit trails for GDPR/FOIA; retention & destruction driven by policy tags and legal_hold flags; redact-only views for external partners- Maintain chain and key custody logs to support admissibility (Daubert/Frye): certificate lifecycle, key escrow policy, and documented SOPs**Trade-offs & operational notes**- Permissioned ledger balances auditability with privacy (vs public blockchain)- PKI/HSM adds operational complexity but required for courtroom trust- Offline workflows prioritize physical evidence integrity over instant sync; reconciled on re-ingest with cryptographic proofsI would present a reference event schema and mock API spec during implementation to align agencies and legal teams.
Unlock Full Question Bank
Get access to hundreds of Evidence Preservation and Handling interview questions and detailed answers.