Evidence Preservation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Sign up with Google
Sign up with Apple
Sign up with Microsoft
View all SSO options

Already have an account? Sign In »

DFIR Investigations and Witness Testimony
Course
Time
1 hour 49 minutes
Difficulty
Intermediate
Video Transcription
00:00
module 2.2 is the next step in the process
00:06
that leads to expert testimony.
00:08
That's the evidence preservation phase. Once you've identified what needs to be collected and you ensure you have the proper authority to collect it now, you need to preserve the data.
00:18
The question is, how do you preserve the data?
00:21
Because this by far is the most important step
00:25
in the process being an expert witness
00:28
because it's the evidence preservation stage off the process that opens up the most issues for admissibility
00:38
and the most questions
00:40
from opposing experts and for opposing attorneys.
00:46
In this video, we're gonna cover the evidence preservation process. We'll talk about how to collect data, how data could be collected, what types of data could be collected or should be considered
01:00
when collecting data. There's a number of different ways and number of different types of data that you could collect.
01:04
If you're dealing with desktops, laptops or servers, you might
01:08
often go for a bit for bit forensic image, a full physical collection of every zero on one on the hard drive.
01:18
You could, however, choose to just collect a logical image of the files. A logical collection of just the active file data.
01:29
You could choose to collect just email data in the form of PST s or other email archiving formats.
01:38
You could talk about collection of mobile devices using celebrate or oxygen or X or Y, or a number of other tools that are out there.
01:48
If your servers air largely virtual, you might need to get a backup of the virtual servers into a V, M, D K. Or some other
01:56
virtual format.
01:59
You might also be talking about database backups, sequel database backups or other types of database backups.
02:07
You could be talking about cloud data, email or data that is stored in the cloud, not on a
02:15
local computer that you may need to download or collect or work with the
02:21
vendor to collect.
02:22
And don't forget also i o T devices. Apple watches,
02:27
um,
02:28
smart thermostats, other devices that are part of the Internet of things that could be relevant to your matter.
02:38
In this video, we covered the evidence preservation process
02:43
and the different types of evidence that can be collected
02:46
and should be considered
Up Next
View All
Instructed By
Dustin Sachs

Dustin Sachs

Instructor
Similar Content
Computer Hacking and Forensics
Course
Computer Hacking and Forensics
4
If you love the idea of doing digital forensics investigations to catch cybercriminals and want ...
18CEUs
Computer Forensics and Investigations
Virtual Lab
Computer Forensics and Investigations
3
Learn to determine potential online criminal activity at its inception, legally gather evidence, search and ...
Log Correlation & Analysis to Identify Potential IOC
Virtual Lab
Log Correlation & Analysis to Identify Potential IOC
4.33
When defending networked digital systems, attention must be paid to the logging mechanisms set in ...