Skip to main content

Identify and Preserve Forensics Evidence

Learning Objectives

After completing this unit, you’ll be able to:

  • Verify that a cyber event occurred.
  • Describe how to safely identify, collect, and recover evidence.
  • List steps to secure evidence from alteration or misuse.

Detect Cyber Events

Now that you know how to prepare for cyber defense forensics analysis, you probably want to know how to identify and preserve evidence when a cyber event or incident occurs. As a cyber defense forensics analyst, you may recover data from a crashed server or failed drive. Or you may aim to collect, preserve, and analyze computer-related evidence used during a computer crime for investigative purposes. You secure tamper-proof access to electronic devices, systems, and network equipment that may hold digital evidence related to an investigation. You help detect cyber events by coordinating with intelligence analysts and incident responders to correlate threat assessment data. This includes:

  • Reviewing logs, alerts, and error messages of impacted areas within the information technology (IT) infrastructure of your organization that correlate with a suspected incident.
  • Comparing post-incident events and logs against your organization’s baseline for any deviations.

As a cyber defense forensics analyst, an organization may call upon you to examine digital components of a computing system to determine if illegal actions or security violations have taken place. Your tasks may take the form of supporting incident responders in identifying cyber incidents and determining their scope, as well as identifying potential sources of relevant evidence. In completing these steps, you execute the digital forensics investigation process with clear communication to the incident response team (IRT). 

Collect and Recover Evidence

Cybercriminals often use techniques to hide evidence of a cybercrime including renaming files and folders, deleting logs, or modifying file attributes. As a result, one challenge of cyber defense forensics is to properly collect relevant evidence while complying with evidence collection and preservation laws.

As a cyber defense forensics analyst, you gather evidence at various points during your investigation. There are two main rules that govern evidence.

  • Admissibility of evidence: Whether the evidence is usable in court
  • Weight of evidence: Whether the evidence is high-quality and complete

Finding the Needle in the Haystack

Computer data that is relevant to a security breach or criminal action is often intermixed with standard benign data from business functions and personal activities. When collecting evidence during a cyber incident investigation, you preserve the integrity of the relevant data. If the organization you work for intends to, or is considering whether to bring criminal charges against a suspect, it’s important to seek guidance from legal counsel or law enforcement on the need for a warrant for seizing and handling digital evidence. In a typical office setting, this likely is not required provided the organization has the appropriate policies in place such as “no reasonable expectation of privacy.” It’s best to consult with your legal team if you have any concerns.

Note

In the United States, the Fourth Amendment protects people from warrantless searches of places or seizures of persons or objects in which they have a subjective expectation of privacy that is deemed reasonable in public norms. However, most organizations have in place a policy that employees or customers have “no reasonable expectation of privacy” when using the organization’s IT resources. This means that in an investigation of misuse of organizational IT resources, a warrant is usually not required.  

Using Forensically Sound Collection Techniques

Evidence, whether it’s physical or digital, must be legally obtained. In digital data evidence collection, it’s important to use forensically sound techniques and tools. As a basic rule when arriving on a potential evidence scene, if a computer is on, leave it alone. Rebooting or turning it off can erase or modify evidence. Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence on live running media.

For all evidence analysis, take care by creating a forensically sound copy of the device and ensure that the original is not modified. This often involves physically isolating the device under investigation to prevent accidental contamination or tampering. You must exercise care making the digital copy (forensic image) of the device in question, and lock the original in a secure storage facility or safe. Be sure to conduct your examination only on the digital copy.

Throughout this entire process, document every step you take no matter how big or small. The purpose of this is to help ensure you are able to establish what happened by documenting the scene of the computer crime, and to identify the responsible person. The ability to recognize and properly collect digital evidence is oftentimes critical to both solving and prosecuting crimes.

Secure Evidence from Alteration or Misuse

In your role as a cyber defense forensics analyst, you protect and document all relevant information about the evidence, how it was collected, by whom, and when. If planning to present this evidence in a court of law, the evidence must be competent (relevant), authenticated (genuine), and material (important to prove a case). Also, the evidence must not be altered or accessed in any way that compromises its integrity. You make sure of this by maintaining a chain of custody and keeping detailed written logs of every action taken during the investigation. This detailed log should include: 

  • Identifying information of the system under investigation
  • Serial numbers
  • Model numbers
  • Hostname
  • Media access control (MAC) addresses
  • IP addresses
  • Date, time, and time zone
    • Basic input output system (BIOS) clock
    • Operating system (OS) clock
  • Name, title, and phone number of everyone who handled the evidence during the investigation, including the time, date, and time zone they accessed it in
  • Locations where the evidence was stored

A sealed bag containing evidence and labeled with a chain of custody table

Knowledge Check

Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the statement in the left column next to the appropriate true/false box on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Sum It Up

Great work! Now that you understand how to safely identify and preserve evidence during a cyber defense forensics investigation, it’s time to explore how to analyze and document data. Let’s go!

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now