# Digital Evidence Handling

* Digital Evidence Process: Identification -> Preservation -> Collection -> Analysis -> Reporting
* Forms of Digital Evidence:
  * Email
  * Digital Photographs
  * Logs
  * Documents
  * Messages
  * Files
  * Browser History
  * Databases
  * Backups
  * Disk Images
  * Video/audio files
* Digital evidence handling tenants:
  * No altering of original evidence
  * Use write-blockers
  * Document the process
* Order of Volatility: olatile data includes running memory or the Address Resolution Protocol (ARP) cache
  * Registers & Cache: CPU cache contents
  * Memory: RAM contents
  * Disk (HDD and SSD)
  * Remote Logging and Monitoring Data
  * Physical Configuration, Network Topology, Archival Media
* Follow chain of custody by:
  * Using Evidence Integrity Hashing
  * Taking a Forensic Copy
  * Storing Digital Evidence securely
  * Using Chain of Custody Form