# Evidence Handling and Chain of Custody Backlink: [[Domain 1 - Index]] **Definition:** Practices that maintain integrity and admissibility of evidence through controlled collection, preservation, documentation, and transfer. ## Key Facts - Evidence types: best, secondary, direct, circumstantial, documentary, real. - Chain of custody: who/what/when/where/why; signatures and seals. - Use write blockers; hash before/after imaging (integrity). - Maintain originals securely; work on verified copies. - Coordinate with legal; document methods thoroughly. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Identify breaks in chain or improper handling - Choose proper imaging and hashing steps >[!note] **Mnemonic** - “Document, Seal, Hash, Lock.” ### Example Q: Forgot to log a transfer of a drive. Impact? A: Chain of custody compromised; admissibility at risk. ## Revision Checklist - [ ] Name 4 evidence types - [ ] Describe chain-of-custody record - [ ] Explain hashing purpose - [ ] Note originals vs. working copies ## Related [[Incident Response Lifecycle]] · [[E-Discovery (EDRM)]] · [[Legal Systems and Laws (Civil, Criminal, Administrative)]] · [[Security Governance]] · [[Privacy Principles and Regulations]] #cisSP #domain-1 #concept