What do I need to know about support investigations for the Certified Information Systems Security Professional (CISSP) exam?

Once it has been established that there needs to be an investigation into an incident, an investigator needs to know the following processes and procedures in order to comply with the legal and legislative parameters. The following need to be understood in order for a candidate to successfully pass their CISSP examination.

Evidence Collection/Handling

Evidence includes facts, items, and information to be presented in a court of law to establish the validity or invalidity of a claim or statement. Evidence is used to help prove a person’s or entity’s innocence or guilt in cases of criminal activity or negligence. Before a court can accept evidence, it must be admissible, authentic, convincing, accurate, and complete.

For this to be done, a proper chain of evidence must be established and maintained throughout the investigation. Having a proper chain of evidence allows the judge to ascertain the following:

  • How the evidence was collected, identified and protected.
  • How the analysis was conducted, and if the data was copied/cloned correctly.
  • How the evidence was stored, preserved, and transported throughout the investigation.
  • How the evidence is presented in court, and by whom.
  • Whether the property has been returned to the owner after the investigation.

In addition to these facts, the Chain of Custody must also be maintained for the following:

  • Who obtained the evidence.
  • Who secured it.
  • Where and when was it collected.
  • Who has had control of the evidence since collection.
  • Evidence is usually stored in a vault to maintain security.

Evidence has a lifecycle, which is basically the time from when it is collected at the crime scene until the time that it is no longer needed. The following generally applies to such evidence:

  • It must be identified and labelled correctly and then protected. The label must state what the evidence is, where it was collected, when it was collected, and by whom. It must be signed and sealed.
  • The analysis must be conducted on identical clones or system images of the evidentiary device. This is so that the original evidence is not accidentally damaged or tampered with.
  • The storage, preservation, and transportation must be recorded and monitored.
  • It must be presented in court accompanied by testimony and opinion.
  • The property must be returned to the victim after the trial or securely stored if the perpetrator is found guilty of the crime. The perpetrator will forfeit his or her rights to the property in such cases.


The reporting section of any investigation is of great importance and, as such, must be done according to the CISSP best practice recommendations. Reports must be complete, detailed, of a high enough quality to be accepted in a court of law, and strong enough in content to stand up to legal scrutiny.

Your report should also include:

  • Your findings for each forensic step and process.
  • A copy of your standard operating procedures.
  • A copy of the checklists that are used in your investigative process.

Remember to use layman’s terminology when presenting evidence and have your reports professionally prepared with bindings or laminations if necessary. The findings in your reports should also be accompanied with time-stamped log files.


This is important to understand because the techniques that are used during an investigation must meet the international standards that have been determined by proven methods. If an investigator does not use such methods, then this may call all of the evidence into question, and result in a mistrial. The main considerations for the CISSP are:

  • Collection, preservation, validation, identification, analysis, interpretation, documentation, and presentation of evidence.
  • IOCE and SWGDE are two organizations that provide forensics guidelines and principles.
  • Forensic principles must be applied to digital evidence.
  • Evidence must not be altered during the collection phase of the investigation.
  • Training must be provided to anyone that accesses digital evidence.
  • All activity pertaining to the evidence, including its investigation, collection and analysis must be fully documented and made available on request.
  • Personnel that are in possession of evidence are responsible for it until it is back in storage.
  • All personnel and entities must be fully certified to work with evidence if the chain of evidence is to be preserved .


This section details how the forensics of the case is conducted and what occurs during the digital forensics process. One of these areas is digital forensics, where three main areas of analysis take place. They are:

  • Media Analysis: This includes the analysis of components such as RAM, hard drives, optical media, SD cards, USBs, hard drives, and backups. Other storage locations are also analyzed, such as the device’s internal storage, external storage, network storage, and cloud services. When performing these tasks, great care must be taken to ensure that there no changes are made to the original sources. Therefore, a forensic copy must be made of the originals in a read-only state. For this, specialized hardware must be used.
  • Network Analysis: Network analysis is carried out on equipment such as routers, modems, and firewalls, as well as any network appliance that stores logs or records of transactions and transmissions. Exfiltration is commonly used in these scenarios to ascertain what outbound traffic occurred over a specific time period. Records from an internet service provider may also be used, and these records might require special court orders and warrants. The configurations of these devices should also be preserved; if something in the main evidence fails, it is good to have a backup of the configuration so that it may be restored to an identical unit for analysis.
  • Software Analysis: Software analysis requires in-depth investigation to properly understand the state of a machine as evidence. Emails, virus activity, log files, timestamps, and metadata all play roles in an investigation, as do browser histories and user activity on the computer laptop or smartphone. Hashing algorithms are also used to skip over files that are not suspicious, which are present in common installations such as Microsoft Windows.

What requirements for investigation types do I need to know?

The following investigation types are covered in the CISSP and must be understood by candidates who wish to certify.

They are:

  • Operational
  • Criminal
  • Civil
  • Regulatory
  • E-Discovery

This is the process by which investigators must produce court-ordered information that is to be made available in the case. It is electronically stored and is to be used as evidence in a court case. When a request is made, investigators must make all of the data available. If the data is not available, investigators must either acquire the information via forensics processes or hire a court-certified forensics investigator specialist to acquire it on their behalf. An electronic register must be maintained during your investigation and an investigative policy procedure must also be kept so that the proper processes can be followed for each investigation. Other factors to consider are:

  • Electronic Inventory
  • Data Retention Policies
  • Data Recovery
  • Data Storage
  • Data Ownership
  • Data Handling

CISSP Instant Pricing – InfoSec


For more information on certifying your CISSP, take a look at Infosec’s CISSP Bootcamp, which can be found here. This offers candidates an excellent learning resource that will help to kick-start their journey towards gaining this certification.

Be Safe

Section Guide


View more articles from Graeme

Earn your CISSP the first time with Infosec and pass your exam, GUARANTEED!

Section Guide


View more articles from Graeme