WIP

5.md

@@ -122,15 +122,18 @@ Also:
 
 ## 5.5 Summarize basic concepts of forensics. ([James Messer](https://www.youtube.com/watch?v=C3mjAsGKoco&list=PL5ysgoFoCpZEM8cboeHdRDePc2bOU9CN1&index=107), [Jason Dion](https://www.udemy.com/program/comptia-security/learn/2015076/lecture/13220020#overview), [Mike Meyers](https://www.udemy.com/course/comptia-security-certification-sy0-501-the-total-course/learn/lecture/9876520#overview))
 
+See also "RFC 3227 - Guidelines for Evidence Collectioin and Archiving"
+
 - Order of volatility
   - As ordered by Conklin:
     1. CPU, cache, and register contents (collect first)
-    2. Routing tables, ARP cache, process tables, kernel statistics 3. Live network connections and data flows
-    3. Memory (RAM)
-    4. Temporary file system/swap space
-    5. Data on hard disk
-    6. Remotely logged data
-    7. Data stored on archival media/backups (collect last)
+    2. Routing tables, ARP cache, process tables, kernel statistics
+    3. Live network connections and data flows
+    4. Memory (RAM)
+    5. Temporary file system/swap space
+    6. Data on hard disk
+    7. Remotely logged data
+    8. Data stored on archival media/backups (collect last)
 - Chain of custody
   - As listed by Conklin:
     1. Record each item collected as evidence.
@@ -143,6 +146,7 @@ Also:
     8. Provide controls to prevent access to and compromise of the evidence while it is being stored.
     9. Securely transport the evidence to court for proceedings.
 - Legal hold
+  - A "litigation hold, the process by which you properly preserve any and all digital evidence related to a potential case. This event is usually triggered by one organization issuing a litigation hold request to another. Once an organization receives this notice, it is required to maintain a complete set of unaltered data including metadata, of any and all information related to the issue causing the litiga- tion hold." (Conklin)
 - Data acquisition
   - Capture system image
   - Network traffic and logs