Evidence Handling and Chain of Custody

Why Evidence Handling Matters on SY0-701

Digital forensics applies structured, defensible investigation methods to electronic evidence. CompTIA Security+ SY0-701 (the current edition, launched November 7, 2023, with a maximum of 90 questions, 90 minutes, and a passing score of 750 on a 100–900 scale) places forensics under Domain 4, Security Operations. The exam rarely tests deep tool syntax. Instead, it tests judgment: when a question describes a live incident, the best answer almost always protects evidence integrity before analysis begins.

Evidence that is altered, undocumented, or handled casually loses value even when it contains useful technical facts, because a defense attorney can argue it was tampered with.

The Evidence Handling Process

Legal Hold and Spoliation

A legal hold (litigation hold) is a formal directive to preserve all data relevant to anticipated or active litigation. Once issued, routine deletion and log rotation must stop for the in-scope systems. Failing to preserve data is spoliation, which can trigger court sanctions or an adverse-inference ruling. E-discovery is the legal process of identifying and producing electronically stored information in response to a subpoena or discovery request. Security+ pairs these terms with chain of custody because together they make evidence usable in court.

Chain of Custody

Chain of custody is the documented, unbroken history of evidence handling. It must show who held the item, when they received it, where it was stored, what they did, and to whom they transferred it. Any gap lets opposing counsel argue the evidence could have been altered.

Hashing and Integrity

A hash is a fixed-length value computed from data; changing even one bit changes the hash. Investigators record a hash at acquisition and recompute it before analysis and before testimony. A matching hash demonstrates the working copy is bit-for-bit identical to the source.

Evidence ID: E-2026-0429-003
Source hash (SSD): 5f2a9c...b81c (SHA-256)
Image hash:        5f2a9c...b81c (SHA-256)
Verified: at acquisition AND before analysis = MATCH

A write blocker (hardware or software) sits between the source drive and the workstation, allowing reads but silently dropping any write so the original cannot change during imaging.

Provenance, Acquisition, and Preservation

SY0-701 groups several closely related terms you must keep straight. Acquisition is the act of obtaining a forensic copy of the data. Preservation is protecting that data and the original from any change after acquisition. Provenance is the documented origin and history of a piece of evidence — essentially the chain of custody applied to a single artifact, proving where it came from and that it is authentic. Data integrity is the property that the evidence has not been altered, which is exactly what hashing proves.

Non-repudiation is the assurance that an actor cannot deny an action; in forensics, signed logs and verified hashes support it. Expect a scenario question that hands you all five terms as distractor options and asks which one a given control (a write blocker, a SHA-256 verification, an evidence bag) actually delivers.

Worked Scenario

A finance analyst reports spreadsheets were changed without approval. The responder photographs the desk, records that the laptop is powered on, captures volatile memory first (the machine is running), exports the cloud file-repository audit logs, then images the SSD through a write blocker and hashes it. The original is sealed in a tamper-evident evidence bag and logged into the locker. All analysis runs on the verified copy. Notice the sequence: photograph and document, capture volatile data, then image — the order itself is a defensible decision the report must justify.

If counsel later challenges the image, the responder produces the matching SHA-256 values and the unbroken custody log to rebut any tampering claim.

Right to Audit and Third Parties

When evidence lives with a cloud provider or managed service, a right-to-audit clause in the contract gives the customer (or its investigators) the contractual ability to inspect logs and request data. Without it, you may be unable to obtain the very audit logs your timeline depends on. This is why Security+ ties forensics back to vendor management and service-level agreements: you cannot preserve what you have no legal access to, and you cannot subpoena a provider's records as quickly as you can pull your own.

Common Traps

• Analyzing the original drive when a forensic copy is possible.
• Forgetting to log who transferred the evidence (broken chain).
• Failing to hash before analysis, so integrity cannot be proven later.
• Powering off a running host without capturing volatile data first.
• Mixing evidence from different cases without unique labels.
• Leaving evidence in an unlocked drawer or a personal cloud folder.
• Ignoring a legal hold and letting log rotation delete relevant data (spoliation).