Evidence Collection and Preservation Questions

Covers the full lifecycle of handling evidentiary materials with emphasis on digital evidence and legal admissibility. Candidates should understand how to identify and secure an evidence scene, differentiate source types such as computers, storage media, mobile devices, network equipment, and cloud artifacts, and decide on appropriate power and access actions to avoid data loss. Includes hands on collection techniques such as use of write blockers, forensic imaging and logical versus physical acquisition, capturing volatile data, and preserving originals while working from verified copies. Emphasizes documentation requirements including detailed evidence logs, chain of custody records that document who handled evidence, when, and what actions were taken, hashing and verification to prove integrity, secure transport and storage, and proper storage conditions. Also covers legal and procedural topics such as standards for admissibility, consequences of contamination, coordination with legal counsel and law enforcement, differences between internal investigations and evidence intended for litigation, issuance of legal holds and preservation orders, and maintaining audit trails for review and courtroom presentation.

HardSystem Design

60 practiced

Design an enterprise-scale evidence collection and preservation policy for a multinational corporation. The policy should cover issuance of legal holds and preservation orders, cross-border data transfers and MLATs, secure chain-of-custody, role-based access to evidence, retention schedules, auditing and WORM storage requirements, incident triage priorities, and coordination with local counsel. Outline key controls and brief justification for each.

HardTechnical

105 practiced

Your organization receives a broad eDiscovery request covering months of user emails and chat logs. Explain how you would manage preservation, collection, processing, and production to meet legal obligations while protecting privileged and irrelevant data. Discuss how you preserve metadata, justify search criteria, maintain a defensible audit trail, and handle privilege/redaction with the legal team.

EasyTechnical

109 practiced

Provide a minimum checklist of fields that must appear on an evidence label and in the evidence log for every item collected at a scene. Include a short example of label fields (e.g., evidence ID, description, date/time, collector, location, condition, seal number) and explain in one sentence why each field matters for legal admissibility.

HardTechnical

55 practiced

A system administrator with no forensic training collected initial evidence at the scene: copied logs, removed disks, and transported them to the corporate security team. You discover gaps and potential handling errors in the chain-of-custody. Design a remediation and validation plan to rehabilitate the evidence's admissibility: steps to verify hashes, collect witness statements, re-create collection steps, document departures from best practices, and recommend training or process changes to prevent recurrence.

EasyTechnical

70 practiced

You arrive at a scene and find a powered-on desktop workstation suspected to have been used in a breach. Provide a prioritized checklist of immediate actions to preserve volatile evidence while minimizing impact to ongoing operations and legal risk. For each step, justify its priority (for example, RAM capture vs. shutting down) and describe how you'd document the action.

Unlock Full Question Bank

Get access to hundreds of Evidence Collection and Preservation interview questions and detailed answers.

Join thousands of developers preparing for their dream job.