Digital Evidence Handling
Digital Evidence Process: Identification -> Preservation -> Collection -> Analysis -> Reporting
Forms of Digital Evidence:
Email
Digital Photographs
Logs
Documents
Messages
Files
Browser History
Databases
Backups
Disk Images
Video/audio files
Digital evidence handling tenants:
No altering of original evidence
Use write-blockers
Document the process
Order of Volatility: olatile data includes running memory or the Address Resolution Protocol (ARP) cache
Registers & Cache: CPU cache contents
Memory: RAM contents
Disk (HDD and SSD)
Remote Logging and Monitoring Data
Physical Configuration, Network Topology, Archival Media
Follow chain of custody by:
Using Evidence Integrity Hashing
Taking a Forensic Copy
Storing Digital Evidence securely
Using Chain of Custody Form
Last updated