File tree Expand file tree Collapse file tree 1 file changed +28
-0
lines changed
Expand file tree Collapse file tree 1 file changed +28
-0
lines changed Original file line number Diff line number Diff line change 1+ # 01 — Evidence Handling
2+
3+ ## Chain of Custody Workflow
4+ - Record acquisition time, location, and handler.
5+ - Maintain an unbroken handoff log.
6+ - Use tamper-evident storage methods.
7+ - Document all actions taken on evidence.
8+
9+ ## Integrity Validation
10+ - Hash evidence before and after imaging.
11+ - Compare checksums to validate integrity.
12+ - Store hashes in the case record and report.
13+
14+ ## Imaging Workflow
15+ - Determine logical vs physical collection.
16+ - Avoid interacting directly with original media.
17+ - Use write-blocking in all acquisition steps.
18+ - Store clean copies and work only on duplicates.
19+
20+ ## Storage Strategy (3-2-1 Model)
21+ - 3 total copies
22+ - 2 different storage mediums
23+ - 1 off-site copy
24+
25+ ## Evidence Isolation Checklist
26+ - Disconnect compromised systems from networks.
27+ - Prevent system modifications.
28+ - Restrict access to minimal authorized personnel.
You can’t perform that action at this time.
0 commit comments