Summarization should include
- order of volatility
- chain of custody
- legal hold
- data acquisition
- capture system image
- network traffic and logs
- capture video
- record time offset
- take hashes
- screenshots
- witness interviews
- preservation
- recovery
- strategic intelligence/counterintelligence gathering
- active logging
- track man-hours.
Process/Skill Questions:
- Why is it important to save volatile information?
- Why are procedures necessary when collecting information?
- What are the legal implications of a failed chain of custody?