A multinational financial institution notices unusual network activity during a routine security audit.

Chain of custody is the formal process used to document and preserve evidence integrity by recording who collected the evidence, who accessed it, where it was stored, and when it changed hands. In SOC and forensic operations, chain of custody is essential for maintaining evidentiary reliability, especially in cases with regulatory, legal, or disciplinary implications. It ensures that evidence has not been altered, tampered with, or mishandled, and it supports defensible conclusions about what occurred. Incident documentation is broader and includes timelines, decisions, actions taken, and communications, but it does not specifically track evidence handling transfers. Data imaging is the creation of a forensic copy of storage media (disk image), a separate technical step that may be recorded within chain-of-custody logs. Digital fingerprinting refers to generating hashes or other identifiers to confirm file integrity; again, it is a technique used within evidence handling, but the tracking record of handlers, locations, and transfers is chain of custody. For SOC analysts, correctly maintaining chain of custody is critical when responding to breaches involving sensitive customer records and potential compliance investigations.