i am curios…
for digital forensics. we all know about the storing methodology, such as create images of the hard disk.. or the evidence was retrieved from the crime scene and taken to the lab.full set of PC maybe…. so the chain of custody (CoC) can be log/report by the person in charge..
my curiosity regarding. network forensics?..
how does the evidence.. taking examples packet file..firewall log..ids log. and etc..
how did the evidence was stored? inside database? how about the CoC? ..
i am fully aware about the container aff3.4 created by Cohen et al. and some other reading in academician paper…
but how about in real life practice? by the professional investigator.. or any kind of experience to handle this issues?
What 'container' you store the data in is not near as important as the methodology you follow when capturing/collecting the data.
Your strongest stance comes from developed processes/procedures for data collection/storage and objective evidence that you actually follow those processes.
What/where you store the data is not nearly as important as showing you have a repeatable and followed process for getting the data to begin with.