Episode 65 — Preserve Evidence Correctly: Chain of Custody, Volatility, and Documentation Discipline
This episode explains evidence preservation as the foundation for accurate root cause, reliable remediation, and defensible reporting, and it maps directly to GSEC questions about what to collect and how to handle it. You’ll define chain of custody as documented control over evidence from collection through storage and analysis, then connect it to integrity needs such as hashing, access restrictions, and clear handling logs. We’ll cover volatility by explaining why some evidence disappears quickly, like memory-resident artifacts, network connections, and running processes, while other evidence persists, like disk images, logs, and configuration states, and how collection order matters when time is limited. Scenarios include a suspected malware infection where shutting down the system destroys memory evidence, a cloud incident where logs must be preserved before retention expires, and an insider case where careful handling prevents claims of tampering. Best practices emphasize structured notes, time synchronization, minimal-touch collection, secure storage, and clear documentation that ties artifacts to specific hypotheses and decisions, which improves both investigations and exam answers. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
