Describe these concepts as they are documented in NIST SP800-86: evidence collection order, data integrity, data preservation, volatile data collection
Implementing Cisco Cybersecurity Operations (210-255)
The best way to study for this objective is to read or at least read the highlights of the NIST document. Here are some of my notes.
Evidence Collection Order
There are three steps to collecting evidence. First, you must develop a plan for priorities and the order to collect evidence. The next step is to acquire the data. This part must be done with care to preserve the chain of custody. Finally, the evidence must be preserved. The integrity of the data when making backup copies must be paramount to keep the original evidence intact.
Data Integrity
When copying the original data to a backup, write blockers should be used to prevent any data being written to the original. Once the backup is done a message digest should be made of both the original and the backup. These digests should match to verify that the backup is identical to the original data. Commonly either an MD5 or SHA-1 algorithm is used to make this digest.
Volatile Data Collection
Because volatile storage like RAM is constantly changing, it must be collected as soon as possible. It also must be collected before the device is shutdown. When the analyst first comes to the system, they should record what is currently on the screen before touching any input devices. If the device is locked or asleep the analyst has to determine the risk of trying to unlock the machine. An analyst must also weigh the risks that malicious actors have left software behind designed to destroy evidence when access is attempted. Ideally, the criterion for decisions about volatile data collection should be defined before an incident response.