Method To Collect Digital Evidence

There are two basic forms of collection: freezing the scene and honeypotting.

a) Freezing:

• Freezing the scene involves taking a snapshot of the system in its state. 
• then start to collect whatever data is important onto removable nonvolatile media in a standard format. 
• Make sure the programs and utilities used to collect the data are also collected onto the same media as the data. 

b) Honeypotting:

• Honeypotting is the process of creating a replica system and luring the attacker into it for further monitoring.
• Its also work as an entrapment for the attacker.

COLLECTION STEPS

You now have enough information to build a step-by-step guide for the collection. You should perform the following collection steps:

1. Find the evidence.

• Determine where the evidence you are looking for is stored. 
• Use a checklist. Not only does it help you to collect evidence, but it also can be used to double-check that everything you are looking for is there.

2. Find the relevant data.

• Once you’ve found the evidence, you must figure out what part of it is relevant to the case. 
• In general, you should err on the side of over-collection, but you must remember that you have to work fast. 
• Don’t spend hours collecting information that is obviously useless.

3. Create an order of volatility.

• Now that you know exactly what to gather, work out the best order in which to gather it. 
• The order of volatility for your system is a good guide and ensures that you minimize loss of uncorrupted evidence.
• The order of volatility is as the following:

Registers and cache

↓

Routing tables 

↓

Arp cache 

↓

Process table 

↓

Kernel statistics and modules 

↓

Main memory 

↓

Temporary file systems

↓ 

Secondary memory

↓ 

Router configuration

↓ 

Network topology

4. Remove external avenues of change.

• It is essential that you avoid alterations to the original data, and prevention is always better than a cure. 
• Preventing anyone from tampering with the evidence helps you create as exact an image as possible. However, you have to be careful. 
• The attacker may have been smart and left a dead-man switch. 
• In the end, you should try to do as much as possible to prevent changes.

5. Collect the evidence.

• You can now start to collect the evidence using the appropriate tools for the job. 
• As you go, reevaluate the evidence you’ve already collected. 
• You may find that you missed something important. Now is the time to make sure you get it.

6. Document everything.

• Your collection procedures may be questioned later, so it is important that you document everything you do. 
• Timestamps, digital signatures, and signed statements are all important. 
• Don’t leave anything out.