1. Order of Volatility
    1. The order in which you should collect evidence.
    2. The Internet Engineering Task Force (IETF) released a document titled, "Guidelines for Evidence Collection and Archiving"
      1. RFC 3227
      2. https://www.ietf.org/rfc/rfc3227.txt
    3. According to the IETF, the Order of Volatility is as follows:
      1. Registers, Cache
      2. Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory
      3. Temporary File Systems
      4. Disk
      5. Remote Logging and Monitoring Data that is Relevant to the System in Question
      6. Physical Configuration, Network Topology
      7. Archival Media
  2. Chain of Custody
    1. The chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.
  3. Legal Hold
    1. A process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated.
  4. Data Acquisition
    1. Capture and Hash System Images
      1. If a computer’s data is to be used as evidence, the entire drive should be imaged (copied) before it is investigated.
      2. The imaging process should be secured and logged, and the image itself should be hashed.
      3. The hashing process should take place before and after the image is created. This will protect the image from tampering and prove the integrity of the image.
    2. Network Traffic and Logs
      1. As part of an investigation, an analyst will review network captures made with a network sniffing program such as Wireshark
      2. Logs should also be preserved, hashed, and stored, including firewall logs, server logs, and router/switch logs.
    3. Capture Video
      1. Any video surveillance equipment that recorded an incident will need to be analyzed.
      2. Before doing so, recorded video should be captured to a computer or to an external media device.
      3. The process should be secured and logged so that a person cannot claim that the evidence has been tampered with.
    4. Record Time Offset
      1. The “real” time should be compared to the time stamp of the video or captured traffic log. The difference between the two is known as the record time offset.
    5. Screenshots
      1. Because a computer being investigated might be compromised, it is usually unwise to use screen-capturing software installed on the affected computer.
      2. Instead, take actual photos of the various screens you wish to capture using a camera.
    6. Witness Interviews
      1. Witnesses are people who were present during an event and were cognizant of what happened during the event.
      2. A witness can corroborate evidence that was gathered from video, computer logs, captures, and other technical evidence.
  5. Preservation
    1. Ensuring data is not tampered with or altered
  6. Recovery
    1. Retrieve data, repair systems, re-enable servers and networks, reconstitute server rooms and/or the IT environment, and so on. Damage and loss control comes into play here; it can be a very slow process to make sure that as much data is recovered as possible.
  7. Tracking Man-Hours
    1. Every action that is taken by the investigators of an incident response team should be logged and documented so as to act as a proper audit trail.
    2. Investigators normally need to sign in before being allowed access to an affected area or computer.
    3. The total man hours, sign in and sign out times, as well as any expenses incurred should be thoroughly documented. Man hours might be tracked through a computer system.