With the identification and preservation of the physical and digital evidence completed the incident response team must now enter the data collection phase. During the data collection phase, the investigative team must collect volatile evidence first, and non-volatile second. Describe the volatile and non-volatile evidence types to be collected and the methods to both collect and analyze the two types of evidence.
- Describe the volatile live acquisition process to collect evidence related to system memory and registry changes and analysis methods conducted over this evidence.
- Describe the non-volatile acquisition process of evidence collection over powered down systems and devices, and the related analysis methods used over non-volatile evidence.
- Describe the exact investigative techniques that you would use to analyze the users’ information, habits, and history for each program. Explain the reasons for your selected techniques.
Remember to address forensic evidence you might find relating to the ransomware attack. You should be making references to specific directories, files, file types, registry entries and log files which point to sources of the incident forensic evidence.
The 16-18 slide PowerPoint presentation should include the following:
- Title Slide (1)
- Topics of Discussion Slide (1)
- Windows 10 Operating System (3 slides)
- Registry and Memory (2 slides)
- Internet Explorer (3 slides)
- Outlook e-mail (2 slides)
- Photoshop (2 slides)
- Office (3 slides)
- References Slide (1)