Forensics and Cyber Threat Research Area

Threat Intelligence | Insider Threat Detection | User Behavior Analytics | Cyber Threat Management | Data Security Intelligence | Cloud Security Intelligence Application Security Intelligence | Anomaly & Pattern Detection |  Security Information Event Management | Digital Forensics | Data Recovery | Malware Investigation | Packet Analytics | Packet Forensics | security operations and analytics platform architecture (SOAPA)

Digital Evidence Collection and Data Seizure

Home » Blog » Digital Evidence Collection and Data Seizure

 Posted in Digital Forensics

Digital Evidence Collection and Data Seizure

   6th December 2015  Leave a Comment on Digital Evidence Collection and Data Seizure 0 1092

Digital Evidence Collection and Data Seizure

Project Name: Digital Evidence Collection and Data Seizure

Description: This blog will help all forensics investigator for Digital Evidence Collection and Data Seizure

Author: Rohit D Sadgune

Frequently Asked Question on Computer Forensics Investigation

  • Checklist of Digital Evidence Collection and Data Seizure

 

  1. Make sure that once you’ve created a master copy of the original data, you don’t touch it or the original itself—always handle secondary copies.
  2. Have procedures in place to document the nature, extent, and reasons for changes to the data.
  3. Make sure you understand what you are doing, because you have to be able to account for any changes you made and describe exactly what you did. If you ever find yourself out of your depth, either learn more before continuing (if time is available) or find someone who knows the territory.
  4. Make sure your plan of action is not based on trial and error. No one is going to believe you if they can’t replicate your actions and reach the same results.
  5. Work fast, so that there is a less likelihood that the data is going to change.
  6. Always try to collect the most volatile evidence first, because some electronic evidence is more volatile than others. You should proceed from volatile to persistent evidence.
  7. Never, ever shut down a system before you collect the evidence.
  8. Avoid rebooting at all costs. It is even worse than shutting a system down and should be avoided. As a general rule, until the compromised disk is finished with and restored, it should never be used as a boot disk.
  9. Any programs you use should be on read-only media (such as a CD-ROM or a write-protected floppy disk) and should be statically linked. Because the attacker may have left trojaned (trojan horse) programs and libraries on the system, you may inadvertently trigger something that could change or destroy the evidence you’re looking for.
  10. Make sure your planning stage takes place prior to any investigator arriving at the computer crime scene, including two ways to structure a team of investigators.
  11. Make sure that you have good case management software. It can go a long way in easing the burden of carrying out a search and seizure.

GO BACK TO COMPUTER FORENSICS CHECKLIST

Author: Rohit Sadgune
Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions
Website

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image

Indicator of Attacks | Indicator of Compromise

Top SIEM Use Cases | Threat Hunting Hypothesis | Deep Packet Inspection | Insider Threat Hunting | Hunting Data Exfiltration | Banking Fraud | ATM Use Cases | Cross Channel Data Exfiltration | Hunting Endpoint Anomaly | Denial-of-service | Man-in-the-middle (MitM) attack | Spear phishing attacks | Drive-by attack | Eavesdropping attack | Birthday attack