Security+ Domain 5.0: Risk Management: Chapter 24

Chapter 24: Digital Forensics

Capturing Evidence

You have two major concerns:

      1. Capturing the right evidence before it disappears
      2. Keeping evidence valid and admissible

Order of Volatility

      1. CPU, cache and registers
      2. Routing tables, ARP cache, process tables, kernel statistics
      3. Live network connections, data flows
      4. RAM
      5. Swap and page files, and /temp and /tmp folders
      6. Hard disk
      7. Remote logs
      8. Backups

Critical but not on CompTIA’s list:

Create forensic copies of digital evidence, take hashes and digitally sign.

Not for the test, but for real life, you should  know about the SIFT forensic Linux distribution from SANS:

The SANS DFIR channel on Youtube:

Here’s a simple, clear and soundless walkthrough of how DumpIt and Volatility work:

Here’s an example in greater detail, with a narrator, thanks:

And here’s a badass example of a forensics challenge:

Chain of Custody (is God)

Have a record-keeping system

    1. Log the item itself
    2. Log date, time and collector’s name
    3. Description
    4. Box and tag physical evidence
    5. Hashes of all digital evidence
    6. Secure transport to storage
    7. Signature of evidence storage officer
    8. Control for access and compromise while stored
    9. Secure transport to court

Legal Hold

You can’t destroy evidence.

Data Acquisition: Admissible in Court

Log the crap out of evidence.

      • Who collected it
      • How
      • Where
      • Who has had possession
      • How was it protected and stored
      • When was it removed from storage, by whom, and why

Capture System Images

This requires a write-blocked access device.

Capture Network Traffic and Logs

Wireshark is the de facto and de jure standard for evidence.

Get firewall and IDS logs.

Capture Video


IP cameras


Record Time Offset

NTP and the timeserver

Take Hashes of Everything

SHA-2 or better


Both captured on the system and from a camera

Witness Interviews

Preserving Evidence

Chain of Custody


Forensic copies

Recovery Procedures

Strategic Intelligence / Counterintelligence