Understand the forensic collection of evidence following a security incident and its purpose:
• desktop forensics:
o meeting requirements for desktop forensics, including:
– confiscation of devices
– taking an image of the system
– using a forensic analysis tool
– reviewing files and settings
– reviewing system logs
– reviewing user activity
– malware analysis and alerts
o the challenges of live forensics:
– changing data in situ
– recovering corrupted data and preventing data corruption
– capturing data in active memory
– losing temporary files
• network forensics:
o agreeing a network-testing methodology with forensic supervisory and
investigatory authority
o scanning of local infrastructure:
– ensuring permission is granted
– ensuring that testing protocol will not disrupt a live system
– passive and active analysis tools
o reviewing and analysing firewalls, infrastructure devices, including switch,
router, wireless access point, client or server logs
o analysing malware activity and alerts.
Links to Learning Outcomes |
Links to Assessment criteria |
|
|---|---|---|
Anonymous Assessment - Learners assess an anonymous piece of work containing deliberate mistakes against given success criteria.