A video can sometimes provide much more information that weeks of log files. In this video, you’ll learn some strategies for collecting evidence with video.
<< Previous Video: Capturing Network Traffic and LogsNext: Recording Time Offsets >>
Another good source of forensics data is video. This can be video that’s internal, on the computer itself. It can be video that’s external of the computer, or the network, or the place where the particular event occurred. This gives you a moving record of what went on. Sometimes if you’re approaching a scene of an incident, you may want to start recording yourself. Turn on your own video. It’s so easy today. You’ve got these mobile video devices. Our phones these days are HD recorders– perfect place to go to record exactly what you find in the state you find, that you can then share with other people. That way you’ve got a step-by-step, second-by-second now archive of exactly what you did. And this might be recording what’s on a computer screen, recording the situation around a data center, understanding if a door was jimmied open, you may be able to get a picture– a video– of exactly what that looked like, and really have more information available to you.
Coming up to a screen that has been compromised and recording it with an external camera means that you’re able to at least see what’s going on without affecting anything else going on on the computer system or the network. And having those mobile devices that you carry with you all the time just gives you another place to go there. Don’t forget your security cameras. If you have surveillance systems and security cameras, those sometimes have a data they’ll store over time, but they’re still volatile. You want to be sure you’re able to catch those before they overwrite themselves. And maybe sometimes you’re able to see people going in and out of the building. Even if it didn’t capture the exact incident where it occurred, you’ve got cameras elsewhere that you’ll be able to help with the evidence and the information that you’re gathering together.
You also of course have to archive this video content. It’s still evidence. It’s things that you want to keep. This may indeed be some of the most important information you have, just because of the audio and the video context associated with it. So make sure you archive it in a way that later on, months later, a year later, when you need to go back to it, these things tend to drag out over long periods of time, make sure it’s something that will be accessible to you, and something that will be in a format that you’ll be able to view.
Category: CompTIA Security+ SY0-401