Chain of custody is the documented record tracking who collected, handled, transferred, and analyzed digital evidence from the moment of collection through any legal proceedings. A break in the chain can make evidence inadmissible in court and undermine an entire investigation.
Digital forensic investigators use write-blocking tools that prevent modification, calculate cryptographic hashes immediately to verify integrity, and document every action with timestamps and signatures. Work is performed on forensic copies, never the original evidence.
CISSP Relevance
Chain of custody is covered in Domain 7 (Security Operations) and Domain 6 (Security Assessment and Testing). CISSP candidates must understand forensic evidence handling requirements and how chain of custody procedures connect incident response to potential legal action.
External reference: NIST Digital Forensics and Chain of Custody
Related terms: Incident Response, Audit Trail