Read/Write Radio Frequency Identification (R/W RFID) chips are commonly used to tag stock in retail shops. The security risk of RFID has been well established in the literature and hence there is potential for fraudulent use of RFID networks in commercial settings. This study proposes the identification of all possible data storage locations in a RFID system, a method for forensic extraction of the data, preservation, analysis and best practice recommendations for digital forensic investigators working on RFID systems. The research shows that it is possible to identify theft from a RFID business system (RIFD BS) after a tag poisoning attack. In order to conduct the proposed research, a trial system was set up in the lab to simulate a commercial retail situation where theft occurred. The normal operation of the trial system was documented as the trusted operation of a stable RFID retail system. The simulation context was the retail environment of clothing and electronic goods, as in such environments Stock Items (SI) could vary in price from a few dollars to tens of thousands of dollars. Hence, the stabilized BS was stressed by using a malicious poisoning attack to change the value of the stock item from the backend SQL Server. Then the entities of BS such as SI, point of sale (POS), business information system (BIS) were investigated in order to locate the potential evidence for the theft of the SI. The methodology used in a simulated environment was based on descriptive methods in which the case scenario of the replicated SQL poisoning attack through a R/W RFID Tag was initiated. To investigate the presence of digital evidence after the theft of a SI, a customized RFID middleware and ReaderLogExtraction tool (to acquire bit-to-bit evidence from RFID reader’s memory) were developed based on Software Development Kit (SDK) of the RFID reader’s manufacturing company. Live forensic investigation was performed by using customized incident response toolkits (Helix_RFID_IR and dcfldd toolkits) and a hardware write-blocker. The descriptive methodology allowed the elaboration of precise details relevant to the research question. The purpose of the main research question was to perform the complete and accurate forensic examination of a compromised RFID stock management system in the retail sector. As a result, the digital forensic investigation (DFI) procedures such as acquisition, extraction, preservation and analysis of potential evidence data were carried out in a forensically sound manner. Hence, such DFI procedures were the important phases of this descriptive research. During the forensic investigation, the traces of evidence after the poisoning attack were able to be identified, acquired, preserved, analysed and presented according to DFI principles and guidelines. The significant findings were found in each entity of the simulated RFID BS. For instance, changes to the original values of SIs were found in the backend database and evidence of the malicious poisoning code was found in the transaction log of the backend server. Moreover the evidential traces of the fake tag ID, date and timestamp were also found in the memories of RFID reader and POS host station. In the simulated research experiment, the theft of a SI through an orchestrated test scenario of hardware, software and social engineering illustrates the potential vulnerability of RFID based retail systems. To conclude, the research conducted confirms that the DFI procedures used were able to obtain viable digital evidence from a compromised RFID stock management system in the retail sector. The learning from conducting this research provided not only additional knowledge in DFI of RFID BS, but also best practices for digital forensic researchers and practitioners. Consequently, providing assurance of the DFI process to present trustworthy digital evidence could prove the theft of stock items in a RFID retail system.