cisa-d5-protection-info-assets-evidence-collection-and-forensics

Evidence Collection and Forensics

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Evidence Collection and Forensics

Evidence Collection and Forensics is the disciplined process of identifying, preserving, acquiring, analyzing, and presenting digital artifacts from computing systems in a manner that maintains their integrity, documents their provenance, and satisfies legal admissibility standards. It encompasses both reactive investigation (post-incident) and proactive forensic readiness (pre-incident architecture). Forensic evidence includes volatile data (RAM, CPU cache, running processes, active network connections) and non-volatile data (disk images, logs, file metadata), as well as cloud telemetry, mobile device artifacts, and container and application logs. The field bridges technical analysis and legal procedure — a forensic finding is only useful if it survives judicial scrutiny.

Where it stops · what it isn't

—IS: Systematic, documented collection of digital artifacts for investigative or legal purposes using integrity-preserving techniques — write-blockers, cryptographic hashing, and chain of custody documentation.
—IS: Forensic readiness — the proactive design of logging, retention, and monitoring architectures to support future investigations before incidents occur.
—IS NOT: General IT troubleshooting or log review without documented chain of custody and integrity verification — those activities may contaminate forensic evidence.
—IS NOT: Real-time threat monitoring or SIEM alerting — forensics begins after an event is detected, though forensic readiness improves detection capability.
—IS NOT: Data recovery for operational purposes — forensics is evidence-centric, not service-restoration-centric; the goals and procedures are fundamentally different.
—IS NOT: Legal counsel or prosecution — forensic practitioners collect and analyze evidence; attorneys and law enforcement determine legal strategy and charging decisions.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Incident Response Lifecycle (NIST SP 800-61)ISACA CISA Domain 5: Protection of Information Assets

REQUIRES

Chain of Custody DocumentationForensic Readiness Architecture (logging, retention, monitoring)Legal Hold Procedures

ENABLES

Litigation Support and E-DiscoveryRegulatory Breach Notification (GDPR 72-hour, HIPAA 60-day)Root Cause Analysis and Attack Timeline Reconstruction

RELATED TO

Security Monitoring and SIEM OperationsVulnerability Management and Patch Control

CONSTRAINS

Cloud Provider Shared Responsibility Model

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.