Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
The forensic process of gathering and preserving digital data so it stays intact and admissible, governed by chain of custody and integrity hashing.
Evidence Collection Definition: The forensic process of gathering and preserving digital data so it stays intact and admissible, governed by chain of custody and integrity hashing.
Evidence collection is the forensic process of gathering and preserving data for analysis or legal proceedings while maintaining its integrity throughout. In incident response and digital forensics, it ensures that artifacts from systems, networks, and devices remain accurate, complete, and admissible so they can support investigation, attribution, and potential prosecution.
The process follows disciplined procedures to keep evidence trustworthy. Investigators document a chain of custody recording who handled each item, when, and why; create forensic images or bit-for-bit copies rather than working on originals; and compute cryptographic hashes (such as SHA-256) before and after copying to prove the data was not altered. The order of volatility guides collection, capturing the most ephemeral data first, for example memory and network connections, before disk and archived logs. Tools and write-blockers prevent accidental modification of source media.
This matters because evidence that is mishandled can be challenged or thrown out, undermining an investigation and any legal action. Improper collection may also destroy the very data needed to understand an incident, such as volatile memory lost when a system is powered off. Preserving integrity and a documented chain of custody is what separates defensible forensic evidence from data that an opposing party can dispute as tampered or unreliable.
For example, after a server compromise, a responder first captures the system's volatile memory and active network connections, then images the disk with a write-blocker to prevent changes to the original drive. They record a SHA-256 hash of the image, log each handoff in a chain-of-custody form, and store the original media in a sealed, access-controlled location. Analysts then work only on verified copies, so any findings presented later can be shown to derive from unaltered, properly preserved evidence.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →