Evidence collection is the crucial knowledge that may help incident responders in understanding the process of attack and tracing the attacker. Therefore, the incident responders ought to apprehend where they will find the proof and the way to collect it. This section discusses about collecting and protective proof, assembling physical evidence, handling powered on computers, handling powered off computers, handling networked computers, handling open files and startup files, operating system closure procedure, and aggregation proof from social networks.
Collecting and preserving evidence collection
Any individuals acting as a first responder should secure the crime and document scene, should have the correct authority, training, and skill to begin collection of proof. Prior to initiating the gathering of proof, initial responders should gather the following details regarding the proof :
- When an event is reported and wherever a pc is assumed to be a locality of the incident, it’s typically the case that this can be the primary and solely item seized
- The crime scene ought to be investigated during a manner that covers the whole space, keeping in mind the idea of the PC being at the centre of the circle
- Pieces of proof found at the crime scene ought to be initial photographed, known among documents, so properly gathered
- All collected proof ought to be marked clearly in order that it may be simply known later.
Related Product : EC-Council Certified Incident Handler | ECIH v2
Type of device :
1) Model
2) Powered standing
3) Network standing and sort of network
4) Backups, intervals of backup, last time and date, and also the location If it’s necessary to require. The server down and also the business impact
5) Approval of authorities and native management
Collecting Physical evidence
The victim PC and its elements are vital evidence collection sources in a computer forensic investigation. Collect all the electronic devices or the other media found at the crime scene. Seize storage devices like arduous drives, memory cards, and removable media as they’ll have hold on info. Hand-held devices like smartphones, mobile phones, POAs, digital multimedia devices. GPS receivers will have valuable proof info like net browsing history, emails, chat logs and friend lists, pictures and image files, and money records. The peripheral devices themselves are potential proof. Info hold on within the device like scanned or written documents, incoming and outgoing phone and fax numbers, and data regarding device usage will all contain valuable proof.
Also Read:- What is Cyber Kill Chain? and it’s 7 Phases
The physical proof ought to include:
1) Removable media
2) Cables
3) Publications
4) All PC equipment, as well as peripherals
5) Items taken from the trash
6) Miscellaneous items
Dealing with powered On Computers
Electronic evidence collection is versatile in nature and simply broken throughout assortment, preservation, and analysis. Therefore, first responders should act with caution whereas handling powered-on computers to stop any injury to the proof residing on them. In a very powered-on ADPS, each transportable and desktop, the RAM contains crucial important information, that is volatile in nature. Removing or moving down the facility provide can result in deletion of this important data.
First responders should perform the following steps while assembling electronic proof from powered-on computers:
1. If a PC is switched ON and the screen is viewable, photograph the screen and document the running programs
2. If a portable PC wakes up, record the time and date at that this happens, photograph. The formation and provides a brief explanation of all the programs running
3. If a PC is ON and therefore the monitor shows a screensaver, move the mouse slowly while not pressing any button and then photograph and document the programs
4. After an assortment of the whole volatile information put off the device
Collecting proof from Social Networks
Currently, the amount of individuals victimization social networking sites is increasing rapidly. It’s become one in all the best ways in which to speak and share information. This has led cybercriminals to search out ways in which to commit crimes via social networking. As a result of the utilization of social media for illegal and criminal functions, it’s become a vital supply of proof within the field of PC forensics. a number of the popular social networking sites are Facebook, What’s App, Twitter, Linkedin, Google+, Snap-chat, and so on. Social media forensics depends on a restricted set of information of knowledge of information sources as feat the server’s arduous drives isn’t attainable and obtaining data wants the service operator’s cooperation.
Social Footprint: Social graph of the user and with whom the user is connected.
Communication Pattern: Network used for communicating, method of communication, and with whom the user has communicated.
Footage and Videos: Pictures and videos uploaded by the user and on that other people’s footage is that the user labelled.
Times of Activity: The time the user has connected to the social network and the exact time a specific activity of interest has taken place.
Apps: Apps utilized by the user and their purpose. data that may be inferred within the social context.
Interaction Pattern: The interaction pattern helps users to interact with others through messages and the interaction frequency.
Activity Timestamps: The timeline of the activities of the user on social networking will give very important info for the investigation. The timestamp of the user communication and information sharing like posting photos and standing update reveal info like a selected user activity.
User Location: Social networking sites have a Geo-tagging or location update feature wherever the users will mention their precise location at a definite time.
Evidence Collection: and Analysis is the retrieval and subsequent investigation into criminal evidence obtained from a crime scene. In Threat Intelligence you will learn evidence collection in different ways. join CTIA training from Infosavvy in chennai Location accreditation by EC-Council.
Questions related to this topic
- What are the 5 components of a computer network?
- How do I find all network hardware details?
- How do I manage computers on my network?
- What are the networking hardware requirements?
- What is Evidence Collection?
Top Incident Handling Knowledge
- What is an Information Security Incident?
- Top 10 Most Common Types of Cyber Attacks
- Competitive Intelligence
- What is Evidence Collection?
- Variety of important anti-forensic techniques
- Enhancing Incident Response by Establishing SOPs
- Threat Intelligence Informed Risk Management
- An Introduction of Computer Forensics
- Overview of Digital evidence
- Forensics Investigation method of Computer
- Forensic Readiness planning
- The Principles of Digital Evidence Collection
- Securing the Crime Scene
- Forensic Readiness an Overview
- Securing the Evidence
- Life Cycle of forensics information in the system
- Forensic Investigation Analysis
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com