Digital forensics is the discipline of recovering, preserving, and analyzing electronic evidence in ways that maintain its integrity and admissibility for legal proceedings. Forensic investigators examine hard drives, memory, network logs, and cloud storage to reconstruct what happened during an incident.
The first rule of digital forensics is to preserve the original evidence. Forensic imaging tools create bit-for-bit duplicates while calculating cryptographic hashes to verify nothing was altered. Every action taken on the evidence is documented because opposing counsel will scrutinize the chain of custody.
CISSP Relevance
Digital forensics is covered in Domain 7 (Security Operations). CISSP candidates must understand forensic investigation methodology, evidence preservation requirements, and how forensic findings feed both incident response and potential legal proceedings.
External reference: NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
Related terms: Chain of Custody, Incident Response