🏠 Back to Exam Syllabus πŸ“Ί RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 19.1 - Investigations (Part 2 of 3)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series gets practical about the rules and hands-on techniques of digital forensics, within Domain 7, Security Operations. It shows how careful handling separates a solid case from a wasted one, since one careless click can destroy the very proof an investigation depends on.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

Why can’t a witness simply repeat what someone else told them?

Because of the hearsay rule: a witness generally cannot testify about statements made outside of court, since the court has no way to test them. But this rule is famous for its many exceptions, and the one that matters most is the business records exception. It lets records like system logs come in when they were created at the time of the event, kept in the normal course of business, and maintained as a regular practice, with a qualified person confirming those conditions. Think of a log as a diary the system writes automatically, without an agenda.

What principles guide everyone who handles digital evidence?

A respected body laid out five that anchor the whole discipline. First, seizing evidence should never change it. Second, only a forensically competent person should touch the original. Third, every action taken with the evidence must be fully documented and available for review. Fourth, whoever holds the evidence is responsible for everything done to it. And fifth, any organization involved must comply with all of these rules. Think of them as five laws of a cleanroom: break one, and you contaminate the sample.

How do you analyze storage media and live memory safely?

For media analysis, never touch a live system’s drive: power the machine down, remove the storage device, and attach it to a forensic workstation through a write blocker, a hardware adapter that physically prevents any write-back. Then you calculate a cryptographic hash, create a bitwise forensic image, and hash that image to prove the two match. Live memory is more delicate, so you use trusted tools to generate a memory dump written to a clean device, hash it to prove authenticity, and work only from copies.

How do you reconstruct what happened across the network?

Network analysis is tricky because network data is volatile: if activity is not deliberately recorded when it happens, it usually vanishes. So this work leans on controls already logging traffic, like intrusion detection systems, flow monitors, packet captures, and firewall logs. To capture live traffic without disturbing it, you use a mirror port on a switch or a hardware network tap, both of which copy the traffic for analysis without altering the real conversation, and then you hash and copy the captures like any other evidence.

Why does every attack leave a trail?

Because of a foundational idea in forensics that every contact leaves a trace: when two objects meet, something is exchanged, whether a fingerprint, a fiber, or a log entry, and experts believe this holds true online too. Consider an attacker who injects malicious commands into a website. Their own device carries tools and logs, the network records their connection, the firewall and web server capture the malicious requests, and the database logs the commands that ran. Each contact point is a witness, so thinking through the full path uncovers a chain of evidence.

πŸ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 19.1 - Investigations (Part 2 of 3).