Digital Evidence Process: Identification -> Preservation -> Collection -> Analysis -> Reporting

Forms of Digital Evidence:

• Email

• Digital Photographs

• Logs

• Documents

• Messages

• Files

• Browser History

• Databases

• Backups

• Disk Images

• Video/audio files

Digital evidence handling tenants:

• No altering of original evidence

• Use write-blockers

• Document the process

Order of Volatility: olatile data includes running memory or the Address Resolution Protocol (ARP) cache

• Registers & Cache: CPU cache contents

• Memory: RAM contents

• Disk (HDD and SSD)

• Remote Logging and Monitoring Data

• Physical Configuration, Network Topology, Archival Media

Follow chain of custody by:

• Using Evidence Integrity Hashing

• Taking a Forensic Copy

• Storing Digital Evidence securely

• Using Chain of Custody Form