Covers the full lifecycle of handling evidentiary materials with emphasis on digital evidence and legal admissibility. Candidates should understand how to identify and secure an evidence scene, differentiate source types such as computers, storage media, mobile devices, network equipment, and cloud artifacts, and decide on appropriate power and access actions to avoid data loss. Includes hands on collection techniques such as use of write blockers, forensic imaging and logical versus physical acquisition, capturing volatile data, and preserving originals while working from verified copies. Emphasizes documentation requirements including detailed evidence logs, chain of custody records that document who handled evidence, when, and what actions were taken, hashing and verification to prove integrity, secure transport and storage, and proper storage conditions. Also covers legal and procedural topics such as standards for admissibility, consequences of contamination, coordination with legal counsel and law enforcement, differences between internal investigations and evidence intended for litigation, issuance of legal holds and preservation orders, and maintaining audit trails for review and courtroom presentation.
HardTechnical
55 practiced
A system administrator with no forensic training collected initial evidence at the scene: copied logs, removed disks, and transported them to the corporate security team. You discover gaps and potential handling errors in the chain-of-custody. Design a remediation and validation plan to rehabilitate the evidence's admissibility: steps to verify hashes, collect witness statements, re-create collection steps, document departures from best practices, and recommend training or process changes to prevent recurrence.
HardTechnical
72 practiced
Design a practical collection plan to capture forensic artifacts from ephemeral containerized environments (Kubernetes) where pods are short-lived and autoscale frequently. Include node-level evidence capture, persistent volume snapshotting, capturing kube-apiserver audit logs, service-mesh telemetry, container image provenance, and how you will maintain chain-of-custody for ephemeral artifacts.
EasyTechnical
88 practiced
A smartphone is powered on, locked, and connected to a cellular network; you reasonably believe it may be subject to a remote wipe. You are the first responder and do not yet have a warrant. What immediate, legally defensible steps do you take to preserve evidence while minimizing alteration? Discuss use of Faraday bags, airplane mode, SIM removal, and how consent or authority affects your choices.
MediumTechnical
59 practiced
Compare acquisition methods for smartphones: physical image, logical extraction, filesystem extraction, and cloud backup acquisition. For each method, explain what classes of artifacts are preserved (deleted messages, app databases, metadata), invasiveness and risk of altering evidence, tool/legal considerations, and which method you would recommend in high-value cases versus triage situations.
MediumTechnical
68 practiced
Provide a practical, courtroom-defensible checklist for capturing volatile Windows artifacts during live incident response on Windows 10/11. Include the artifact categories to collect (memory image, running processes, open network sockets, event logs, registry hives, pagefile and hibernation), and list generally accepted tools or approaches without prescribing a single vendor product.
Unlock Full Question Bank
Get access to hundreds of Evidence Collection and Preservation interview questions and detailed answers.
