2.2.4. Investigation Types and Evidence Standards
💡 First Principle: The type of investigation determines what evidence is needed, how it must be collected and preserved, and who has authority over the process. Treating all investigations as criminal investigations — collecting evidence as if for prosecution — is usually overkill and creates unnecessary legal risk; treating a potential criminal matter as merely administrative can destroy evidence that law enforcement needs.
Five investigation types and their requirements:
| Type | Who Conducts | Standard | Objective | Evidence Implications |
|---|---|---|---|---|
| Administrative | HR/management | Internal policy | Policy violation, HR action | Internal policies govern; maintain chain of custody anyway |
| Criminal | Law enforcement (FBI, local PD) | Beyond reasonable doubt | Prosecution | Strict chain of custody; do NOT tamper; law enforcement takes lead |
| Civil | Private parties (attorneys) | Preponderance of evidence | Damages, injunctions | eDiscovery applies; litigation hold required; scope defined by courts |
| Regulatory | Government agencies (FTC, SEC, OCR) | Agency-specific | Compliance determination, penalties | Agency may compel document production; scope defined by regulation |
| Industry Standards | QSAs, auditors, standards bodies | Contractual terms | Certification status | Defined by standard (PCI DSS, ISO 27001 audit requirements) |
Digital evidence and chain of custody — for any evidence that may be used in legal proceedings:
- Identify — Determine what evidence exists and where
- Preserve — Prevent alteration (write blockers for storage media, legal holds for documents)
- Collect — Create forensic copies using verified tools; hash originals
- Examine — Analyze copies, never originals
- Document — Every person who touches evidence signs the chain of custody log
- Present — Demonstrate integrity from collection to presentation
Chain of custody documents who had possession of evidence, when, and what was done with it. A break in chain of custody can make evidence inadmissible even if the evidence itself is valid.
eDiscovery — in civil litigation, parties must preserve and produce electronically stored information (ESI) relevant to the case. The legal hold is issued before any evidence is deleted under normal retention schedules. Failure to preserve can result in spoliation sanctions — including the court instructing the jury to assume the missing evidence was harmful to the party that destroyed it.
⚠️ Exam Trap: When a security team discovers evidence of criminal activity, they should NOT continue investigating independently — they should preserve evidence and contact law enforcement. Continued investigation by untrained staff can contaminate evidence and alert the subject. The security team's role is to preserve and hand off, not to prosecute.
Reflection Question: During a routine audit, you discover evidence that an employee has been systematically stealing customer credit card data for six months. HR wants to handle it administratively and terminate the employee quietly. Legal wants to involve law enforcement. What are the competing considerations, and what should the security professional recommend?
