1
00:00:00,720 --> 00:00:06,390
In this section we are going to discuss collecting evidence after a security event.

2
00:00:06,600 --> 00:00:11,180
In some cases the evidence collected may need to be used in the court of law.

3
00:00:11,250 --> 00:00:15,410
So it is crucial that the proper procedures are followed.

4
00:00:15,570 --> 00:00:22,620
The best evidence is evidence that is in its original form such as a copy of a hard drive from a computer

5
00:00:22,830 --> 00:00:30,390
that has been compromised corroborative evidence is evidence that is based on a theory that is supported

6
00:00:30,390 --> 00:00:37,990
by the initial case evidence indirect evidence is evidence that it is dependent on a connection to additional

7
00:00:37,990 --> 00:00:42,950
evidence such as fingerprints or DNA laughed at the scene.

8
00:00:44,880 --> 00:00:51,000
Once evidence is collected it needs to be handled properly to make sure it is not altered or damaged.

9
00:00:51,360 --> 00:00:58,570
First evidence should be labeled with the investigators name the date and case number then it should

10
00:00:58,570 --> 00:01:05,530
be preserved with the right protection in place in an anti-static bag or Faraday cage to prevent electric

11
00:01:05,560 --> 00:01:07,860
energy from harming the evidence.

12
00:01:09,180 --> 00:01:15,540
Finally you need to make sure to maintain the proper chain of custody by accurately documenting any

13
00:01:15,540 --> 00:01:17,350
transfers of evidence.

14
00:01:18,400 --> 00:01:23,070
If you do not follow these steps then evidence may not be valid in the court of law.

15
00:01:25,160 --> 00:01:30,520
The common piece of evidence obtained during most investigations are disk images.

16
00:01:30,920 --> 00:01:39,740
Some common tools out there that can be used for disk imaging are sincere cane and case a disk image

17
00:01:39,770 --> 00:01:47,870
as a computer file containing the contents of a data storage device such as a computer hard drive.

18
00:01:47,960 --> 00:01:55,560
It is important that when doing computer forensics images are not altered in a real world scenario.

19
00:01:55,640 --> 00:02:01,580
If you were to get evidence from a search warrant or by a discovery motion and were to obtain a physical

20
00:02:01,580 --> 00:02:09,480
copy of a hard drive from a computer you would need a right blocker right blockers are devices that

21
00:02:09,480 --> 00:02:17,440
allow you to get information on a drive without accidentally damaging the drive contents.

22
00:02:17,730 --> 00:02:23,070
If you want to learn more about disk imaging check out the link that I have provided as a resource for

23
00:02:23,070 --> 00:02:23,890
this lecture.