Lab 8: Chain of Custody - CyberOps Week 7

Objectives

1. Create forensic image of a drive

Show Hint

Use: dd if=/dev/sda of=evidence.img bs=4096

2. Generate hash of evidence image

Show Hint

Use: sha256sum evidence.img

3. Fill out Chain of Custody form

Show Hint

Complete all required fields in the Documentation System tab and submit.

4. Document evidence handling procedures

Show Hint

Drag and drop the procedure steps into the correct order.

5. Create write-blocker verification log

Show Hint

Use: verify-write-blocker /dev/sda

6. Transfer evidence and update custody log

Show Hint

Use: transfer-evidence --to "Lab Technician" and update the custody form.

7. Verify evidence integrity after transfer

Show Hint

Use: sha256sum evidence.img and compare with original hash.

8. Prepare evidence summary for legal review

Show Hint

Use: generate-evidence-summary

Evidence Terminal

Documentation System

Digital Forensics Evidence Terminal Case: IR-2024-0211-BREACH Evidence Device: /dev/sda (500GB SSD) Examiner: SOC-Analyst-001 Type 'help' for available commands

forensics@evidence:~$

Chain of Custody Form

Case Number

Evidence Description

Collected By (Your Name)

Collection Location

Purpose of Collection

Chain of Custody Log

Date/Time	Handler	Action	Location	Hash Verification
-	-	-	-	-

Evidence Handling Procedure Order

Drag and drop the steps below into the correct order, then click "Verify Order"

Evidence Bag Label

No evidence logged yet

LAB 8: CHAIN OF CUSTODY & EVIDENCE HANDLING

Objectives

Chain of Custody Form

Chain of Custody Log

Evidence Handling Procedure Order

Evidence Bag Label

LAB COMPLETE!