Data preservation

5.6 Describe concepts as documented in NIST.SP800-86

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

What is Data Preservation?

Data preservation means protecting and maintaining digital evidence in its original state after a security incident.

The main goal is to make sure that:

  • Data is not changed, damaged, or lost
  • Evidence remains reliable and trustworthy
  • It can be used for investigation, analysis, or legal purposes

In simple terms:
👉 Data preservation ensures that the evidence you collect stays exactly the same as when it was found.

🎯 Why Data Preservation is Important

During an incident (such as malware infection, unauthorized access, or data breach), systems contain important evidence like:

  • Log files
  • Memory data (RAM)
  • Disk contents
  • Network traffic data

If this data is not preserved properly:

  • It may be altered or destroyed
  • The investigation may become inaccurate
  • Evidence may become invalid in legal situations

🔑 Key Goals of Data Preservation

  1. Maintain Integrity
    • Data must not be changed after collection
  2. Ensure Authenticity
    • Prove that the data is original and not tampered with
  3. Prevent Data Loss
    • Protect data from deletion or corruption
  4. Support Analysis
    • Keep data usable for forensic tools and investigators

🧩 Types of Data to Preserve

1. Volatile Data (Most Important – changes quickly)

  • RAM contents
  • Running processes
  • Active network connections
  • Logged-in users

⚠️ This data disappears when the system is turned off.

2. Non-Volatile Data (Stored Data)

  • Hard drives / SSD data
  • System logs
  • Application files
  • Configuration files

3. Network Data

  • Packet captures (PCAP files)
  • Firewall logs
  • IDS/IPS alerts

🛠️ Data Preservation Process (Step-by-Step)

1. Identify Data Sources

Determine where important evidence exists:

  • Servers
  • Endpoints (computers)
  • Network devices
  • Cloud systems

2. Prioritize Data Collection

Collect data in this order:

  1. Volatile data first (RAM, active sessions)
  2. Non-volatile data next (disks, logs)

3. Create Forensic Copies

Instead of working on original data:

  • Create a bit-by-bit copy (forensic image)

👉 This ensures:

  • Original data remains untouched
  • Analysis can be done safely

4. Use Hashing for Integrity Verification

Generate a hash value (digital fingerprint) of the data.

Common algorithms:

  • MD5
  • SHA-1
  • SHA-256

✔ If the hash value remains the same:

  • Data is unchanged

5. Secure Storage of Evidence

Store preserved data in:

  • Secure servers
  • Encrypted storage
  • Access-controlled environments

6. Document Everything (Chain of Custody)

Keep detailed records of:

  • Who collected the data
  • When it was collected
  • How it was handled
  • Where it is stored

👉 This ensures accountability and trust.

🔐 Key Concepts You Must Know

✔ Chain of Custody

A record that tracks:

  • Movement of evidence
  • Who accessed it
  • Any changes in handling

👉 Critical for legal and audit purposes.

✔ Forensic Imaging

  • Exact copy of storage media
  • Includes all data (even deleted files)

✔ Write Blockers

Devices or software used to:

  • Prevent modification of original data during collection

✔ Data Integrity

Ensures data is:

  • Accurate
  • Complete
  • Unchanged

⚠️ Common Mistakes to Avoid

  • ❌ Working directly on original evidence
  • ❌ Not collecting volatile data first
  • ❌ Failing to calculate hash values
  • ❌ Poor documentation
  • ❌ Storing evidence in unsecured locations

🖥️ IT Environment Example

A security analyst detects suspicious activity on a server:

  • The analyst collects RAM data first (active processes, connections)
  • Then creates a disk image of the server
  • Generates hash values to verify integrity
  • Stores evidence in a secure forensic server
  • Documents all steps in a chain of custody log

👉 This ensures the evidence is preserved properly for further analysis.

📊 Summary (Exam Quick Revision)

  • Data Preservation = Protecting evidence from change or loss
  • Collect volatile data first, then non-volatile
  • Always create forensic copies, never use original data
  • Use hashing to verify integrity
  • Maintain chain of custody
  • Store data securely with access control

🧠 Exam Tips

  • Remember the order:
    Volatile → Non-volatile → Hash → Store → Document
  • Focus on:
    • Integrity
    • Authenticity
    • Proper handling
  • Questions may test:
    • Correct data collection order
    • Purpose of hashing
    • Importance of chain of custody
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by