Memorize the volatility collection order with this phrase: "Really Need Processes Dealt From Backups"
- RAM — most volatile, lost on power loss
- Network connections / routing tables — current state
- Processes — running processes disappear on reboot
- Disk image — stable, persists without power
- Firmware — very stable
- Backups — least volatile
Exam trap: A question may list acquisition types and ask which should be collected first. RAM is always first. If the answer options include "disk" as first, it is always wrong when a live system is running.
Second trap: If a system uses full-disk encryption and is running, the sequence changes: RAM collection becomes even more critical because the decryption keys are in RAM. If you power off first, you get an encrypted unreadable disk. RAM first, always.
Chain of custody questions will ask what proves evidence integrity or what was done wrong. The complete chain requires:
- Hash before analysis — documents original state
- Hash after analysis — proves nothing changed
- Matching hashes = evidence not modified = admissible
- Tagging, sealing, secure storage, access log
If an exam answer says "the analyst forgot to hash the drive before analysis," the evidence integrity is broken. If the analyst worked from the original instead of a copy, the hash would likely differ. If the seal was broken, tampering is indicated.
Key phrase: "If you cannot prove it was not changed, you cannot use it in court." Chain of custody is entirely about provability.
Legal hold questions often test who initiates the hold. The answer is always legal counsel, never IT or security.
Decision tree for legal hold questions:
- "Who decides a legal hold is needed?" → Legal counsel
- "Who implements the preservation?" → IT/security
- "Who are custodians?" → Anyone with relevant data
- "What is the obligation?" → Preserve ESI, stop deletion, ongoing until released
Exam trap: A question may say "the IT security manager decided a legal hold was needed after discovering the breach." This is wrong — IT cannot initiate a legal hold. Legal counsel makes that determination based on litigation risk. IT may alert legal that litigation is possible, but the hold decision and notification belongs to legal.
Also: a legal hold does not equal forensic analysis. Legal hold = preserve. Forensics = examine.
This is a frequent exam distinction. Use this filter question: Is the goal to collect documents or to reconstruct events?
- Collect documents for legal review → E-discovery
- Reconstruct what happened during an attack → Digital forensics
Additional distinguishing markers:
- Driven by attorneys? → E-discovery
- Driven by security/law enforcement? → Forensics
- Output is document production to opposing counsel? → E-discovery
- Output is a technical report with timeline? → Forensics
- Requires analysis of how events occurred? → Forensics (e-discovery does not)
Both can occur simultaneously in the same incident. A breach involving litigation requires forensics to understand the attack AND e-discovery to produce relevant business documents. They are not mutually exclusive — they serve different purposes to different audiences.
Practice Scenarios
A forensic investigator responds to a breach involving a running workstation with an active BitLocker-encrypted session. The investigator takes the following actions: (1) disconnects the network cable; (2) powers off the workstation to "preserve the state"; (3) places the hard drive in an evidence bag without a write blocker; (4) connects the drive directly to a personal laptop to image it; (5) computes a hash of the image after imaging is complete.
Identify every error and explain its consequence.
Answer: (1) Disconnecting network before RAM capture may be acceptable, but should occur after RAM imaging since network connections are more volatile than disk. (2) Powering off before RAM imaging destroyed all volatile evidence: running processes, active network connections, and most critically the BitLocker decryption keys in RAM — the disk image will now be encrypted and unreadable. (3) Placing the drive in an evidence bag without a write blocker does not inherently cause harm yet, but sets up the next error. (4) Connecting directly to a personal laptop without a write blocker exposes the drive to OS automatic writes (mounting, indexing, swap file operations) that modify the evidence and change the hash. Chain of custody is broken. (5) Hashing only after imaging, not before, means there is no baseline to compare — the hash proves nothing about the state before analysis. Should hash before and after.
A company discovers that a former employee may have stolen confidential customer data before leaving. Three people each take separate actions: (A) The IT security manager instructs the email server team to freeze the former employee's email account. (B) The HR director emails all managers to preserve any communications with the former employee. (C) The general counsel sends a formal legal hold notice to all data custodians, specifying what must be preserved and creating a documented obligation. Who initiated the legal hold, and which actions were correct?
Answer: Only action (C) is a legal hold — it was initiated by legal counsel (general counsel), creates a formal documented obligation, specifies scope, and notifies custodians. Action (A) is an IT security response (account freeze) — appropriate but not a legal hold. Action (B) by HR is informal and has no legal standing; informal email requests do not satisfy legal hold requirements. The legal hold must come from legal counsel with specific scope, formal notification to custodians, and documentation of the obligation and date. IT and HR actions may support the response, but only counsel creates the legal hold.
A healthcare company suffers a ransomware attack. Simultaneously: (1) The security team investigates how the attacker entered, what systems were compromised, and what data was accessed, producing a technical timeline. (2) Outside counsel instructs the company to preserve all communications about the attack for a potential regulatory investigation. (3) The legal team collects patient communication records, insurance documents, and billing records relevant to a patient lawsuit arising from the data breach.
Identify which process applies to each activity and who drives each one.
Answer: (1) Digital forensics — driven by the security team; goal is to reconstruct events, identify attacker techniques, and support remediation. Output: forensic report with timeline, findings, and conclusions. (2) Legal hold — driven by outside counsel; goal is to preserve ESI related to the regulatory investigation; creates ongoing custodian obligations. (3) E-discovery — driven by the legal team; goal is to collect and produce ESI relevant to the lawsuit for attorney review and production to opposing counsel. No analysis of how events occurred is required. All three can occur simultaneously on overlapping data sets, but each has different legal basis, different ownership, and different output.