Summary
This chapter provided a deep look into the pitfalls of preparing for incident responses. We defined the forensic evidence life cycle, which consists of data collection, review, and documentation, as well as chain of custody, analysis, preservation, and retention. The evidence sources were also aggregated into two categories: volatile and non-volatile. Each was described with detailed examples. For now, we didn’t dive into Windows forensic artifacts, their format, location, or nature, as this is a subject for upcoming chapters. Nevertheless, the challenges of their acquisition and their use cases were highlighted.
Here we also focused on the collection tools and defined criteria for choosing the proper one without focusing on the specific examples for the sake of relevance. This is because some tools are supported at the time of writing this book, but the situation may change over the years. Key metrics to choose the best fit for a forensic collector are compatibility...
