The important thing to remember when gathering evidence is that the more evidence the better - that is, the more evidence you gather to demonstrate your skills, the more confident an assessor can be that you have learned the skills not just at one point in time, but are continuing to apply and develop those skills (as opposed to just learning for the test!). Furthermore, one piece of evidence that you collect will not usualy demonstrate all the required criteria for a unit of competency, whereas multiple overlapping pieces of evidence will usually do the trick!
From the Wiki University
What evidence can you provide to prove your understanding of each of the following citeria?
Confirm incident and prepare to acquire data
|
|
Confirm and gather initial information on reported incident according to organisational policies and procedures Completed |
Evidence:
|
Research and assess occurrence according to organisational forensic data extraction requirements Completed |
Evidence:
|
Research and identify all laws and legislation required for data extraction tasks Completed |
Evidence:
|
Discuss and confirm if acquisition is required with required personnel Completed |
Evidence:
|
Consult and gather key incident information from required personnel Completed |
Evidence:
|
Identify device and components pertaining to incident according to task requirements Completed |
Evidence:
|
Develop and document data extraction plan and information gathered according to organisational requirements Completed |
Evidence:
|
Submit documentation to required personnel and seek and respond to feedback Completed |
Evidence:
|
Contact and gather information from required personnel Completed |
Evidence:
|
Seize device pertaining to incident according to incident and legislation Completed |
Evidence:
|
Access and open device according to data extraction task requirements Completed |
Evidence:
|
Secure device’s networks, data logs, firewalls and hashing according to task requirements Completed |
Evidence:
|
Initiate data extraction according to task requirements and confirm that no data is tampered or deleted Completed |
Evidence:
|
Confirm completion of retrieval according to task requirements Completed |
Evidence:
|
Verify the hash according to task requirements Completed |
Evidence:
|
Document observations and findings and methodology Completed |
Evidence:
|
Analyse data and verify against incident scope, information, devices and evidence Completed |
Evidence:
|
Document findings and analysis and submit to required personnel Completed |
Evidence:
|
Discuss abnormalities and confirm further evidence, devices and information needed Completed |
Evidence:
|
Make additional extractions according to task and technical requirements Completed |
Evidence:
|
Analyse network conversations according to task requirements Completed |
Evidence:
|
Verify chain of custody according to hash according to task requirements Completed |
Evidence:
|
Update findings and methodology in documentation according to organisational needs Completed |
Evidence:
|
Finalise data acquisition
|
|
Prepare data extracts and documentation for submission according to organisational and legislative requirements Completed |
Evidence:
|
Submit data extracts and analysis according to organisational and legislative requirements Completed |
Evidence:
|
Retrieve sign off from required personnel and gather feedback according to organisational policies and procedures Completed |
Evidence:
|