๐Ÿ—ณ Evidence Collection And Preservation

๐Ÿ“˜ Manual

TODO: Move this to methodology. Each OS and system type will have a separate section (see below).

๐Ÿงผ Media Sterilisation

Before copying evidence or making a disk image, one needs to sterilise the target media to ensure that data on that disk before this operation would not meddle with the evidence data.

๐Ÿงฐ Acquisition Toolkit

If this system is running, capture the memory. Should be the first task. Memory stomping issues.

โ›…๏ธ AWS Evidence Collection

Are there any Shadow Cloud Accounts? Could be the first place to look when investigating.

๐ŸŽ iOS Evidence Collection

General Considerations First of all, all the Apple devices support remote wiping which has evolved significantly over the year and now support Bluetooth.

๐Ÿ Mac Evidence Collection

Order The order for collecting digital evidence on macOS and Linux-based systems during a forensic investigation is similar to that of Windows systems.

๐Ÿง Linux Evidence Collection

File Systems EXT 2,3,4, ReiserFS, XFS, JFS, Btrfs. Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files.

๐Ÿค– Android Evidence Collection

File System Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files.

๐ŸชŸ Windows Evidence Collection

Stacking - outlier analysis based on frequency. File Systems FAT12, 32, 64, NTFS, ReFS. Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files.

Collecting Containers

Containers are, by their nature, highly volatile. This property of containers runs contrary to the fundamental forensics need to preserve evidence.