ITPro.TV: CompTIA Security+ (SY0-601)

CompTIA Security+ Exam Cram

Today’s reading is Chapter 30 from the Security+ Exam Cram, “Digital Forensics”.

Order of Volatility

The idea here is to gather evidence from the most volatile storage (generally RAM) to the least volatile (generally backups or off-system logs). Prioritize imaging/copying/investigating storage so that you run the minimum risk of loosing information!

First-line information:

Typical order of volatility:

I’m guessing that external logs probably sit between removable rewritable storage and removable write-once storage.

Chain of Custody

Basically, log all the things. Time, date, action, people involved. Include thought processes and inferences. Properties:

Investigative steps:

Data Acquisition