<![CDATA[Screenshots are widely used in cybersecurity and digital forensics as preliminary evidence of incidents such as phishing pages, website defacement, and SIEM/IDS dashboard captures; however, their ease of manipulation through overlay, cropping, splicing, copy-move, and recompression undermines evidentiary reliability and complicates investigation triage. This study aims to design a standardized dataset protocol for cyber incident screenshots that strengthens digital evidence preservation and supports reproducible analysis workflows. The proposed protocol defines acquisition documentation, SHA-256 hashing, and chain-of-custody recording, alongside a structured folder hierarchy, evidence naming conventions, labeling schemes for binary and multi-class classification tasks, acquisition metadata, documented manipulation procedures via a tamper_recipe, and case_id-based data splitting to prevent leakage of derived manipulations across dataset partitions. As an implementation reference for triage modules, a lightweight analytical framework using GLCM texture features and classical classifiers is specified to demonstrate practical integration without positioning the work as a performance benchmark. The resulting outputs include a comprehensive, auditable protocol specification, standardized metadata and labeling templates, and a reproducible data management workflow tailored for cyber incident screenshots. The study concludes that formalizing acquisition, provenance, and splitting practices improves evidentiary integrity, reduces contamination risk across data partitions, and enhances the utility of screenshots for early-stage forensic triage while remaining compatible with resource-constrained operational settings.]]>
Copyrights © 2026
