Digital Forensics Evidence Collection -- NIST SP 800-86 / RFC 3227

Frameworks: NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response), RFC 3227 (Guidelines for Evidence Collection and Archiving) Role: SOC Analyst, Security Engineer Time: 30-60 min Output: Evidence collection plan with volatility-ordered acquisition steps, chain-of-custody forms, integrity hashes, and cloud forensics considerations

1. When to Use

If a target is provided via arguments, focus the review on: $ARGUMENTS

Invoke this skill when any of the following conditions are met: