Evidence Basics

Evidence is information that helps explain what happened during an incident. It may include log entries, email headers, screenshots, disk images, memory captures, firewall alerts, authentication records, cloud audit events, or the physical device itself. Entry-level responders are not expected to be forensic experts, but they are expected to avoid careless actions that damage evidence.

The basic rule is simple: document before you disturb when practical. If a suspicious laptop is still connected to the network and appears to be attacking other systems, containment may come first. But the responder should still record the time, hostname, user, network connection, visible symptoms, and action taken. A perfect evidence process is not always possible during an emergency, but sloppy undocumented action makes later analysis harder.

Chain of Custody

Chain of custody is the record of who had control of evidence, when they received it, where it was stored, and when it was transferred. It matters because evidence may support disciplinary, legal, insurance, or regulatory decisions. If nobody can show who handled a laptop after collection, the organization may not be able to rely on that evidence.

Communications During an Incident

Communication can reduce confusion, but uncontrolled communication can create new problems. During an incident, messages should be accurate, limited to those who need to know, and approved by the correct role. Technical teams may use an incident channel. Executives may receive status summaries. Employees may receive instructions. Customers, regulators, law enforcement, or the media may require separate handling by legal, privacy, or communications teams.

Avoid speculation. "We are investigating unusual activity affecting the payroll portal and will provide the next update at 3:00 p.m." is stronger than "Hackers probably stole payroll data." The first message is factual and bounded. The second may be wrong and could create unnecessary panic or legal exposure.

Scenario: Lost Encrypted Laptop

An employee reports that a company laptop was stolen from a car. The response team should gather facts: device identifier, assigned user, last check-in time, whether full-disk encryption was enabled, whether remote wipe is available, what data may have been stored locally, and whether the user noticed any suspicious account activity. The team should document the report, preserve device management logs, and escalate if sensitive data may be exposed.

Communication should follow policy. The employee should not independently notify customers. The analyst should not promise that "no data was lost" until encryption and device state are verified. Management, privacy, and legal teams may decide whether notification is required based on facts and applicable obligations.

Beginner Exam Focus

If an answer says to delete evidence, ignore documentation, or broadcast unverified claims, be skeptical. Better answers preserve logs, maintain chain of custody, limit communication to approved channels, and provide factual updates. Evidence and communication are not separate from technical response. They are part of a defensible incident response process.