Chain of Custody & Evidence Handling

Process forensic evidence collection across realistic incident scenarios. Determine the correct order of volatile evidence capture, maintain chain of custody procedures, and answer questions about proper forensic handling.

What You’ll Practice

• Applying RFC 3227 order of volatility to determine evidence collection priority
• Distinguishing volatile vs. non-volatile data sources and why collection order matters
• Understanding write-blocker usage, integrity hashing, and forensic imaging procedures
• Completing chain of custody documentation requirements for admissible evidence

How the Exam Tests This

Objective 4.8 covers incident response activities including evidence acquisition and digital forensics. CompTIA presents “Given a scenario” questions where you must identify the correct order of evidence collection (most volatile first), proper use of forensic tools (write blockers, imaging, hashing), and chain of custody requirements. Expect questions about when to capture RAM vs. disk, which hash algorithm to use for integrity verification, and what documentation makes evidence admissible.

Scoring

Each scenario has two phases: ordering evidence by volatility (partial credit for items close to the correct position) and answering forensic procedure questions (correct/incorrect). Final score combines both phases across all three scenarios.