Section 24.233 Data Collection Procedures

Question 1

Digital Forensic Collection Techniques

Answer 1

Involve making forensic images of data for later analysis

■ This approach allows incident response teams to resume operations quickly
while maintaining evidence

■ Evidence may be required for potential legal action and cooperation with law
enforcement

Question 2

Data collection involves

Answer 2

■ Capturing and hashing system images

■ Analysing data with forensic tools:
● FTK (Forensic Toolkit)
● EnCase

■ Capturing machine screenshots
■ Reviewing network logs
■ Collecting CCTV video

Question 3

Order of Volatility

Answer 3

Guides the sequence of collecting data, from most volatile (CPU registers and
cache) to least volatile (archival media)

Target things that could be changed quickly to cover up malicious actitvity

Question 4

Licensing and documentation

Answer 4

Licensing and documentation reviews ensure system configurations align with their design

Question 5

Data Acquisition

Answer 5

The method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk

■ Policies for bringing one’s own device (BYOD) complicate data acquisition
because it may not be legally possible to search or seize the devices

■ Some data can only be collected once the system is shutdown or the power is
disconnected

Data Acquisition: First thing you need to ask is have you got legal go ahead to capture the data

Question 6

Order of Volatility

Answer 6

● CPU registers and cache memory
● System memory (RAM), routing tables, ARP caches, process table, temporary swap files
● Data on persistent mass storage
● Remote logging and monitoring data
● Physical configuration and network topology
● Archival data

WARNING: Some Windows registry keys, like HKLM/Hardware, are only in memory
and require a memory dump to analyse