Using Forensics Data – CompTIA Security+ SY0-501 – 5.5

After you’ve collected forensics data, what processes should you follow? In this video, you’ll learn about the preservation of evidence, recovery of data, and tracking man hours and expenses.

<< Previous Video: Gathering Forensics Data Next: Disaster Recovery Sites >>


It’s important to preserve all of your forensics data, and there will be a lot of data that you need to gather. It’s, of course, important to have this data for the current investigation. You need to be able to look through all possible evidence to determine exactly what occurred during that incident. And there may be a future incident that may cause you to want to revisit this data to see if there’s any correlation between the two incidents. There may also be cases where you discover new pieces of evidence that will require you go back to the data to be able to look for different kinds of information.

There’s also a need to be able to recover from this incident. And the more data you have, the easier it will be to create a strategy for next time. If you’re able to collect and process all of these details, you may be able to find important information that you could use to protect yourself later. And building on that, you’ll be able to make policy changes and modifications to your processes that will help protect you based on all of this intelligence that you found.

There might also be an opportunity to provide counter intelligence. Now that we’ve gathered details about the attacker, we may be able to learn more information about what they are or who they are. You may be able to find different habits or different methods that are unique to this particular attacker, and that might allow you to identify them later. One rule of thumb in information security is to constantly log as much information as you can. If you’re logging everything everywhere, then you may be able to track exactly what an attacker does from the very beginning until the very end of their attack.

Some of these security incidents have a very large scope. They may be affecting many different systems across many different parts of your organization, and it may be using a lot of your resources to be able to respond to these large scale attacks. This may have an extensive financial impact on the organization, so it’s important to track all of the man hours and all the expenses associated with this investigation. You want to be as accurate as possible with determining these expenses because all of this may be required when you get to a legal environment where restitution may be an option.