From the course: Learning Cyber Incident Response and Digital Forensics
Unlock this course with a free trial
Join today to access over 23,500 courses taught by industry experts.
Preserving evidence
From the course: Learning Cyber Incident Response and Digital Forensics
Preserving evidence
- [Instructor] In this lesson, we're going to discuss how to determine what evidence must be collected and retained. So now that you've been called onto the scene to collect the evidence during your forensic investigation, you need to determine what evidence must be collected and retained based on the specifics of this case that we're investigating. Now, our goal is to collect any evidence that we can find that will show the suspect had illegal images in their possession, either currently on their computer or in their previously deleted items that we can find if we analyze the slack space of their disc image. When we first arrive on the scene, it's going to be important for us to document what we see, since this is also important evidence. For example, what was on the screen when you first walked into the room, and looked at the monitor connected to that workstation? Was it showing their windows desktop?…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
-
Digital forensic investigation1m 43s
-
(Locked)
Preserving evidence5m 23s
-
(Locked)
Preparing an evidence drive2m 42s
-
(Locked)
Creating a trusted tools USB drive13m 35s
-
(Locked)
Collecting volatile evidence6m 39s
-
(Locked)
Collecting network evidence6m 5s
-
(Locked)
Imaging storage devices with FTK7m 25s
-
(Locked)
Imaging a USB drive with DD4m 19s
-
(Locked)
Review of the chapter quiz5m 20s
-
-
-
-
-