Certified Cybersecurity Technician Computer Forensics PDF
Document Details
Uploaded by barrejamesteacher
EC-Council
Tags
Related
- Computer Forensics Investigation Team PDF
- Certified Cybersecurity Technician Computer Forensics PDF
- Certified Cybersecurity Technician Computer Forensics PDF Exam 212-82
- Certified Cybersecurity Technician Computer Forensics PDF
- Chapter 20 - 03 - Identify the Roles and Responsibilities Of a Forensic Investigator PDF
- Certified Cybersecurity Technician Computer Forensics PDF
Summary
This document covers the module flow and evidence management in computer forensics. It details procedures for handling, documenting, and securing evidence, as well as chain of custody procedures. It is part of a cybersecurity training course.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow L *...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow L * Digital Evidence Sources @ Understand Understand the Fundamentals the Fundamentals of Computer Forensics ‘ to Support Forensic to Support Forensic Investigation —— 0= ~ 07 Collecting the Evidence =\ ‘ Understand Digital Evidence (2] @2) Identify the Roles and /\ ‘ Responsibilities of a Forensic () O (&) @) ‘ Securing the Evidence Investigator \ Understand the Forensic N/ / @ @4) Investigation Process and.\_/\/ ©] \ / ‘ (A):ezvil ewmo ::exvll ewltio :f Date s its Importance ‘ Discuss Various Forensic Performing Evidence Investigation Phases Analysis. Securing the Evidence Understanding the importance of securing the evidence is essential as forensic evidence are fragile and can be altered, damaged, or destroyed by improper handling or examination. It is essential to safeguard the integrity of the evidence and render it acceptable in a court of law. This section discusses evidence management, chain of custody, simple format of the chain of custody document and chain of custody form. It also outlines the evidence bag contents list. It then discusses about how packaging, transporting, and storing of electronic evidence must be performed in a secure manner. Module 20 Page 2255 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Evidence Management O Evidence QO Evidence management management helps helps protect protect the the true true state state of of the the evidence evidence QO This is achieved by proper handling and documentation of the evidence @ O At the time of evidence transfer, both sender and receiver need to provide information about the date and time of the transfer in the chain of custody record O The procedures used to protect the evidence and document it while collecting and shipping are: The logbook of the project 0 uniquely identify any evidence AA chain of custody custody record Evidence Management Evidence management helps in effectively protecting the true state of an evidence. This is achieved by the proper handling and documentation of the evidence. At the time of evidence transfer, both sender and receiver are required to provide the information about the date and time of transfer in a chain of custody record. The procedures used to protect the evidence and document it while collecting and shipping are as follows: *= The logbook loghook of the project to record observations related to the evidence = Atagto uniquely identify any evidence ®= Achain A chain of custody record Module 20 Page 2256 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Chain of Custody Chain of custody is a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory The chain of custody administers the collection, handling, storage, testing, and disposition of evidence Chain of custody documentation should list all the people involved in the collection and preservation of evidence and their actions, with a stamp for each activity Chain of custody document contains the complete information about the obtained evidence, such as: *= (Case number Case *= Name and title of the person from whom the evidence was received =*= Address and telephone number ¢e eo , = Location from which the evidence was obtained v == Date/time of [ Date/time of evidence evidence ’j ’j L ’ = |tem number/quantity/ description of items g R — —— Chain of Custody Chain of custody is a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory. It is aa roadmap that shows how first responders and investigators collected, analyzed, and preserved the evidence. The first responders/investigators need to present this document in the court. It ensures accurate auditing of the original data evidence, imaging of the source media, tracking of the logs, and so on. The chain of custody shows the technology used and the methodology adopted in the forensic phases as well as the persons involved in it. The chain of custody administers the collection, handling, storage, testing, and disposition of evidence. It helps to ensure the protection of evidence against tampering or substitution of evidence. Chain of custody documentation should list all the people involved in the collection and preservation of evidence and their actions, with a stamp for each activity. The chain of custody form should identify: = Sample collector = Sample description, type, and number = Sampling data and location = Any custodians of the sample Submission of the digital evidence in court requires a multi-dimensional approach. From this point of view, the chain of custody assumes significance. The investigator needs to document each step taken during the period of collecting the evidence. Moreover, the document should also include the detailed notes of procedures performed on the evidence. It is crucial that the first responders clarify the source, date of recovery, method of recovery, and nature of the Module 20 Page 2257 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics digital evidence. Any individual possessing a piece of evidence must handle it in a manner such that it is capable of standing legal scrutiny in case of an evidence tampering claim. The chain of custody document contains all the information about the obtained evidence, which include the following: Case number It is a unique number allocated by the forensics laboratory or agency to the crime case. Name and title from whom received This field contains information about the individual releasing or forwarding the evidence item to inquiry personnel. Address and telephone number This field contains the complete address and telephone number of the individuals who handled the electronic evidence. Location of the evidence This field contains information about the physical location of the evidence during its extraction or acquisition. Date/time of evidence This field contains information about the data and time of acquiring the evidence. Reason and process of obtaining the evidence This field contains the information about why the first responders had obtained the evidence item and the process they followed for acquiring it. Item number/quantity/description of items This field contains the complete information about the obtained evidence. It contains information such as: o Name of the evidence o Color o Manufacturing company name o Marking information o Packaging information Module 20 Page 2258 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
