Data Collection

Data collection is one of the critical things in an attack. Authorities and third parties need to understand what happened from your collection. If the case goes to court and the process was not controlled, the case may fall.

What data is available if things go wrong? You can often retrieve a computer and secure it — but what about a cloud service? Do you know how to retrieve that data, and how long the export takes? Test this before you get hit.

Describe your process — the more careful, the better the collection.

• Date/time of start and end.
• Performed by whom?
• What data is retrieved?
• Which tools (and versions) were used?
• Data from AV/IDS/IPS/network gear — which software version?
• How were integrity checks made, and with what tool?
• What does the data contain — format, fields (a description of the data)?
• Where is data stored and how is access granted?

Create a process for collecting data, store it on a solution you control, then run a tool like DirHash to calculate hash values of the collected files. Calculation time roughly mirrors copy time — it is bound by disk I/O and CPU.