Chapter 3 L1

The document outlines the types of digital evidence, categorizing them into volatile and non-volatile evidence, and emphasizes the importance of collecting volatile data first. It details potential sources of evidence, including user-created files, devices, and the order of evidence collection based on volatility. Additionally, it discusses data integrity, preservation techniques, and the significance of maintaining a chain of custody to ensure the credibility of the evidence.

Uploaded by

Sonic El Rey

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

9 views2 pages

Chapter 3 L1

Uploaded by

Sonic El Rey

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Chapter 3 L1: 1.

Types of Digital Evidence

Digital evidence exists in two primary forms:

1. Volatile Evidence
o Definition: Data lost when the device is powered off or if a process is interrupted.
o Examples:
▪ Process information / Process-to-port mapping
▪ Logged-on user sessions
▪ Network connections / Ports in use
▪ Clipboard contents
▪ Command history
▪ Data stored in RAM (dynamic and easily overwritten)
2. Non-Volatile Evidence
o Definition: Data retained even when a system is powered down.
o Examples:
▪ Stored on hard disks, memory cards, USB drives
▪ Hidden files, slack space, swap files, unused/hidden partitions
▪ Registry settings, event logs

Key Point: Investigators typically collect volatile data first (RAM, running processes) because it
disappears quickly if the system shuts down.

2. Potential Sources of Evidence

Digital evidence isn’t limited to computers alone. Investigators should consider a variety of files
and devices that may contain critical clues.
A. Files

• User-Created Files: Documents, spreadsheets, images, database files,

bookmarks/favorites.
• User-Protected Files:
o Misnamed or hidden to evade detection.
o Encrypted (password-protected) or obfuscated using steganography.
• Computer-Created Files:
o Log files, backup files, config files, system or event logs, printer spool files,
temporary files, swap files.
B. Devices

• Hard Drive: Active/latent data, operating system files.

• RAM: Live processes, running applications, open ports (volatile).
• Network Devices (NIC, router, hub, switch): MAC addresses, logs, routing tables.
• Peripheral Devices
o Printers, Copiers: Usage logs, date/time stamps, possibly cached documents.
o GPS units: Previous locations, routes, timestamps.
o Credit Card Skimmers: Captured credit card data, user info.
o Biometric Scanners: Stored authentication/authorization details.
o Answering Machines: Voice recordings, last-called numbers.

Tip: Even seemingly mundane equipment (like a printer or phone) may store logs or cached data
that serve as key evidence.
3. Evidence Collection Order
Guidelines from the Internet Engineering Task Force (IETF, RFC 3227) emphasize:

• Collect data by volatility—the most volatile first, the least volatile last.
• Example Order:
1. CPU registers & caches
2. Routing/ARP cache, process tables, RAM
3. Temporary file systems
4. Non-volatile media (hard disks, removable drives)
5. Remote logging & monitoring data
6. Physical interconnections
7. Archival/backups

Other Considerations:

• Know which systems the data is from.

• Identify who has access, permission levels, and relevant configurations.

4. Data Integrity & Preservation

1. Avoid altering original evidence
o Accessing files directly from the original disk can change timestamps or
metadata.
o Solution: Work on copies made via bit-level imaging (forensic clone).
2. Forensic Clone (Bit-stream image)
o Captures every bit on the disk, including deleted but not-yet-overwritten data.
o Contrasts with simple “copy-and-paste,” which ignores latent space and hidden
partitions.
3. Documentation
o Record how the copy was created and any tools used.
o Preserve the original disk in its untouched condition (archive).

Goal: Any changes to the evidence must be detectable and the process must be repeatable and
verifiable.

5. Chain of Custody
Maintains the credibility of evidence by documenting:

1. Who discovered and collected the evidence.

2. When, where, and how it was collected.
3. Who took responsibility for it at each stage (transfers, storage).
4. Ensuring restricted access—only authorized personnel handle the evidence.

Evidence Collection and Data Seizure Guide
No ratings yet
Evidence Collection and Data Seizure Guide
28 pages
Understanding Evidence in Legal Cases
No ratings yet
Understanding Evidence in Legal Cases
9 pages
Digital Evidence Collection Procedures
No ratings yet
Digital Evidence Collection Procedures
11 pages
Digital Evidence Handling Phases Explained
No ratings yet
Digital Evidence Handling Phases Explained
3 pages
Understanding Volatile vs Non-Volatile Evidence
No ratings yet
Understanding Volatile vs Non-Volatile Evidence
27 pages
Digital Evidence Collection Guidelines
No ratings yet
Digital Evidence Collection Guidelines
35 pages
Digital Forensics: Evidence Collection & Analysis
No ratings yet
Digital Forensics: Evidence Collection & Analysis
57 pages
Evidence Collection and Seizure Methods
100% (1)
Evidence Collection and Seizure Methods
15 pages
Digital Forensics Life Cycle Overview
No ratings yet
Digital Forensics Life Cycle Overview
34 pages
Order of Volatility in Forensic Evidence
No ratings yet
Order of Volatility in Forensic Evidence
14 pages
Electronic Eviden 9S: (Digital Evidenres)
No ratings yet
Electronic Eviden 9S: (Digital Evidenres)
39 pages
Digital Evidence Collection Guide
No ratings yet
Digital Evidence Collection Guide
30 pages
Digital Evidence Collection Guide
No ratings yet
Digital Evidence Collection Guide
6 pages
CF Notes
No ratings yet
CF Notes
12 pages
Cybercrime and Digital Forensics Overview
No ratings yet
Cybercrime and Digital Forensics Overview
60 pages
Week-8-Lecture-40-Digital Evidence Preservation & Chain of Custody
No ratings yet
Week-8-Lecture-40-Digital Evidence Preservation & Chain of Custody
24 pages
Cyber Forensics: Definition & Importance
No ratings yet
Cyber Forensics: Definition & Importance
13 pages
Digital Forensics: Evidence Management Steps
No ratings yet
Digital Forensics: Evidence Management Steps
17 pages
Digital Forensics Evidence Collection Guide
No ratings yet
Digital Forensics Evidence Collection Guide
3 pages
Information Security Revision
No ratings yet
Information Security Revision
13 pages
Unit 7 Module7 ElectronicEvidenceCollection
No ratings yet
Unit 7 Module7 ElectronicEvidenceCollection
9 pages
CSDF Unit 4
No ratings yet
CSDF Unit 4
8 pages
Computer Forensics and Biometrics
No ratings yet
Computer Forensics and Biometrics
9 pages
CISSP Domain 7: Security Operations Guide
No ratings yet
CISSP Domain 7: Security Operations Guide
39 pages
Digital Evidence in Forensic Investigations
No ratings yet
Digital Evidence in Forensic Investigations
41 pages
Evidence Collection and Data Seizure Guide
No ratings yet
Evidence Collection and Data Seizure Guide
5 pages
Digital Forensics Life Cycle Explained
No ratings yet
Digital Forensics Life Cycle Explained
6 pages
Reasons To Collect Evidence: Example
No ratings yet
Reasons To Collect Evidence: Example
59 pages
Print
No ratings yet
Print
3 pages
Digital Evidence Management Essentials
No ratings yet
Digital Evidence Management Essentials
57 pages
Digital Evidence Collection Steps Guide
No ratings yet
Digital Evidence Collection Steps Guide
25 pages
Cyber Forensics: Evidence Collection Guide
No ratings yet
Cyber Forensics: Evidence Collection Guide
264 pages
2 - 10 - Forensic-Concepts
No ratings yet
2 - 10 - Forensic-Concepts
1 page
Collecting Volatile Evidence First
No ratings yet
Collecting Volatile Evidence First
26 pages
Evidence Acquisition in Digital Forensics
No ratings yet
Evidence Acquisition in Digital Forensics
40 pages
Computer Forensics Methodology Overview
No ratings yet
Computer Forensics Methodology Overview
26 pages
Evidence Collection and Data Seizure
No ratings yet
Evidence Collection and Data Seizure
34 pages
Evidence Collection in Cybersecurity
No ratings yet
Evidence Collection in Cybersecurity
21 pages
Evidence Collection in Cyber Crime
No ratings yet
Evidence Collection in Cyber Crime
66 pages
3.collection, Preservation & Appreciation of Electronic Evidence
No ratings yet
3.collection, Preservation & Appreciation of Electronic Evidence
77 pages
Digital Evidence Collection Procedures
100% (1)
Digital Evidence Collection Procedures
7 pages
Chain of Custody in Digital Forensics
No ratings yet
Chain of Custody in Digital Forensics
45 pages
Digital Forensics: Evidence Collection Guide
No ratings yet
Digital Forensics: Evidence Collection Guide
85 pages
Digital Forensics: Techniques and Processes
No ratings yet
Digital Forensics: Techniques and Processes
33 pages
Introduction to Digital Forensics
No ratings yet
Introduction to Digital Forensics
30 pages
Types and Characteristics of Digital Evidence
100% (1)
Types and Characteristics of Digital Evidence
5 pages
Key Principles of Digital Evidence
No ratings yet
Key Principles of Digital Evidence
26 pages
Data Recovery & Evidence Collection Guide
No ratings yet
Data Recovery & Evidence Collection Guide
16 pages
Computer Forensics Exam Prep Guide
No ratings yet
Computer Forensics Exam Prep Guide
6 pages
Understanding Digital Forensics Essentials
No ratings yet
Understanding Digital Forensics Essentials
40 pages
Digital Evidence Duplication & Preservation
No ratings yet
Digital Evidence Duplication & Preservation
15 pages
Digital Forensics: Evidence Collection & Analysis
No ratings yet
Digital Forensics: Evidence Collection & Analysis
54 pages
Cyber Forensics Notes
No ratings yet
Cyber Forensics Notes
37 pages
Evidence Handling Procedures Guide
No ratings yet
Evidence Handling Procedures Guide
18 pages
Digital Forensics Process
No ratings yet
Digital Forensics Process
26 pages
Digital Evidence Collection and Forensics
No ratings yet
Digital Evidence Collection and Forensics
23 pages
Essential Computer Forensics Services
No ratings yet
Essential Computer Forensics Services
21 pages
CH 2
No ratings yet
CH 2
18 pages
Doc1 Digital Forensics Foundations
No ratings yet
Doc1 Digital Forensics Foundations
6 pages
Overview of Embedded Systems
100% (1)
Overview of Embedded Systems
43 pages
Snowflake Architecture Overview
No ratings yet
Snowflake Architecture Overview
18 pages
Computer Organization & Assembly Language
No ratings yet
Computer Organization & Assembly Language
11 pages
Mutoh SC Manual
No ratings yet
Mutoh SC Manual
120 pages
M.Tech Computer Science Engineering Quiz
No ratings yet
M.Tech Computer Science Engineering Quiz
12 pages
GE-161L ICT Lab-01
No ratings yet
GE-161L ICT Lab-01
29 pages
Cavendish University Computer Architecture Exam
No ratings yet
Cavendish University Computer Architecture Exam
3 pages
Understanding Random Access Memory (RAM)
No ratings yet
Understanding Random Access Memory (RAM)
13 pages
Overview of Computer Peripherals
100% (4)
Overview of Computer Peripherals
18 pages
11th Computer Applications Sura Guide
No ratings yet
11th Computer Applications Sura Guide
70 pages
CSC 104: Hardware System Overview
No ratings yet
CSC 104: Hardware System Overview
84 pages
Technology in Action: Alan Evans Kendall Martin Mary Anne Poatsy Twelfth Edition Global Edition
No ratings yet
Technology in Action: Alan Evans Kendall Martin Mary Anne Poatsy Twelfth Edition Global Edition
31 pages
Network Protocols and Architectures Explained
No ratings yet
Network Protocols and Architectures Explained
4 pages
Core 1 Install Configure Computer Systems
No ratings yet
Core 1 Install Configure Computer Systems
55 pages
AN 730: Nios II Processor Booting Methods in MAX 10 FPGA Devices
No ratings yet
AN 730: Nios II Processor Booting Methods in MAX 10 FPGA Devices
89 pages
SRAM Expansion for 8051 Microcontroller
No ratings yet
SRAM Expansion for 8051 Microcontroller
9 pages
Computer Memory: Types and Differences
No ratings yet
Computer Memory: Types and Differences
5 pages
MegaMatcher ABIS Brochure 2025-08-22
No ratings yet
MegaMatcher ABIS Brochure 2025-08-22
22 pages
Embedded Systems and Raspberry Pi Q&A
No ratings yet
Embedded Systems and Raspberry Pi Q&A
22 pages
GATE Microprocessor Questions & Solutions
No ratings yet
GATE Microprocessor Questions & Solutions
13 pages
Computer Basics Worksheet for CET 2025
No ratings yet
Computer Basics Worksheet for CET 2025
13 pages
Three Types of Computer Software
No ratings yet
Three Types of Computer Software
1 page
A6050 FB503-504
No ratings yet
A6050 FB503-504
132 pages
Computer Abbreviations List
No ratings yet
Computer Abbreviations List
3 pages
Computer Terminology Explained
No ratings yet
Computer Terminology Explained
35 pages
Computer Basics for Beginners
No ratings yet
Computer Basics for Beginners
48 pages
CDA 3103 Final Exam Overview
No ratings yet
CDA 3103 Final Exam Overview
3 pages
Computer System Classification Overview
No ratings yet
Computer System Classification Overview
5 pages
Characteristics and Generations of Computers
No ratings yet
Characteristics and Generations of Computers
17 pages
Internal Memory Structure of 8051
No ratings yet
Internal Memory Structure of 8051
5 pages

Chapter 3 L1

Uploaded by

Chapter 3 L1

Uploaded by

Chapter 3 L1: 1.

Types of Digital Evidence

2. Potential Sources of Evidence

• User-Created Files: Documents, spreadsheets, images, database files,

• Hard Drive: Active/latent data, operating system files.

• Know which systems the data is from.

4. Data Integrity & Preservation

1. Who discovered and collected the evidence.

You might also like