From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Evidence collection
From the course: Incident Response: Evidence Collection in Windows
Evidence collection
- [Instructor] As part of our incident response efforts, we are going to be gathering evidence. That's what this whole class is about. Now, if the evidence we're gathering is just for our own internal use within our company, then we don't need to follow the federal rules of evidence because these won't apply. But if your organization is involving law enforcement, you're going to have to understand the rules of evidence and be able to collect that evidence appropriately. Otherwise, it may not be allowed to be used in legal proceedings. This means we need to keep a chain of custody. A chain of custody is going to document who collected, controlled, and secured the evidence from a given incident. Without a proper chain of custody, the evidence collected would simply not be allowed to be used in a court of law. If your organization is going to be seeking criminal charges, maintaining the proper chain of custody is very…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Evidence collection2m 12s
-
(Locked)
Volatile and nonvolatile data5m 45s
-
(Locked)
Acquiring a memory image in Windows2m 24s
-
(Locked)
Acquiring a memory image in Windows in DumpIt2m 8s
-
(Locked)
Using CryptCat and Tee3m 51s
-
(Locked)
Collecting the data/time of the victim2m 42s
-
(Locked)
Documenting the logged on users1m 22s
-
(Locked)
Documenting open network connections3m 11s
-
(Locked)
Documenting the running processes2m 24s
-
(Locked)
Documenting any shared files1m 11s
-
(Locked)
-
-
-
-
-