Evidence Basics and Incident Communications
Key Takeaways
- Evidence handling preserves information so later legal, regulatory, insurance, and management decisions rest on reliable facts.
- Documentation should capture who, what, when, where, why, and how for every action taken during response.
- Chain of custody records every person who controlled evidence and every time it changed hands or location.
- Incident communications should be accurate, timely, need-to-know, and routed through approved channels only.
- Responders must avoid speculation, blame, and uncontrolled sharing while an incident is still active.
Evidence Basics
Evidence is information that explains what happened during an incident. It includes log entries, email headers, screenshots, disk images (bit-for-bit copies), memory captures (volatile RAM contents), firewall alerts, authentication records, cloud audit events, or the physical device itself. Entry-level responders are not forensic experts, but they must avoid careless actions that destroy evidence.
The basic rule is simple: document before you disturb when practical. If a suspicious laptop is actively attacking other systems, containment may come first — but the responder still records the time, hostname, user, network connection, visible symptoms, and action taken. One concept ISC2 emphasizes is order of volatility: collect the most fragile evidence first. RAM and active network connections vanish on reboot, so they are captured before disk contents, which survive a power cycle.
| Evidence type | Volatility | Capture priority |
|---|---|---|
| CPU registers, cache, RAM | Disappears on power loss | First (highest) |
| Active network connections, sessions | Disappears quickly | Early |
| Disk and file system | Persists across reboot | After volatile data |
| Archived backups, printouts | Stable | Last (lowest) |
Chain of Custody
Chain of custody is the documented record of who had control of evidence, when they received it, where it was stored, and when it was transferred. It matters because evidence may support disciplinary, legal, insurance, or regulatory decisions. If nobody can show who handled a laptop after collection, a court may rule the evidence unreliable.
| Evidence item | Good handling practice |
|---|---|
| Suspicious email | Preserve original message with full headers, not only a screenshot |
| Endpoint logs | Export through approved tools and note the exact time range |
| Laptop | Label, secure, and document who collected it and when |
| Cloud audit logs | Export relevant records and preserve time-zone context |
| Malware sample | Store securely, restrict access, hash to prove integrity |
Communications During an Incident
Uncontrolled communication creates new problems. Messages should be accurate, limited to those who need to know, and approved by the correct role. Technical staff use an incident channel; executives receive status summaries; employees receive instructions; customers, regulators, law enforcement, and the media require separate handling by legal, privacy, or communications teams.
Avoid speculation. "We are investigating unusual activity affecting the payroll portal and will provide the next update at 3:00 p.m." is far stronger than "Hackers probably stole payroll data." The first is factual and bounded; the second may be wrong and creates panic and legal exposure. A common exam trap is an option that notifies external parties or assigns blame before facts are confirmed.
Scenario: Lost Encrypted Laptop
An employee reports a company laptop stolen from a car. The team gathers facts: device identifier, assigned user, last check-in time, whether full-disk encryption was enabled, whether remote wipe is available, what data was stored locally, and whether the user noticed suspicious account activity. They document the report, preserve mobile-device-management logs, and escalate if sensitive data may be exposed.
Communication follows policy. The employee must not independently notify customers. The analyst must not promise "no data was lost" until encryption and device state are verified. Management, privacy, and legal decide whether notification is legally required based on facts and applicable obligations.
Beginner Exam Focus
Be skeptical of any answer that deletes evidence, ignores documentation, or broadcasts unverified claims. Better answers preserve logs, maintain chain of custody, respect order of volatility, limit communication to approved channels, and provide factual, time-bounded updates.
Who Receives What: Audience Mapping
The exam often tests who should hear about an incident, not just what to say. Different audiences need different levels of detail, and sending the wrong message to the wrong group is itself an incident-handling failure:
| Audience | What they need | Who decides the message |
|---|---|---|
| Technical responders | Live technical detail, indicators, tasks | Incident lead |
| Executives / management | Impact, status, decisions required | Incident lead with communications |
| Affected employees | Clear instructions (e.g., reset password) | Communications team |
| Customers | Plain-language notice, what to do | Legal and communications |
| Regulators / law enforcement | Factual disclosure per legal obligation | Legal and privacy |
Notice that as the audience moves outward, approval moves toward legal and privacy. A beginner analyst never independently notifies a regulator, the press, or a customer — those decisions carry liability and belong to specialized roles.
Why Notification Timing Is a Trap
Many breach laws and contracts impose notification deadlines, but the obligation depends on confirmed facts: what data, whose data, and whether it was actually exposed. Announcing too early with wrong facts can trigger needless panic, regulatory scrutiny, and reputational harm; announcing too late can violate a legal deadline. This is exactly why the CC answer is to gather facts, preserve evidence, and let legal decide — the responder supplies accurate information rather than making the disclosure call alone.
Beginner Exam Focus
Evidence and communication are not separate from technical response — they are part of a defensible incident response process. The strongest answers keep evidence intact, route messages by audience and approval level, and resist the urge to speculate or over-share while an incident is still active.
What does chain of custody document?
Following order of volatility, which evidence should be collected first?
Which communication is best during an active investigation?