Computer forensics does not refer to hardware or

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: chnology, and engineering with law. When discussing computer forensics with others, you might hear the terms digital forensics, network forensics, electronic data discovery, cyber forensics, and forensic computing. (ISC)2 uses computer forensics as a synonym for all of these other terms, so that’s what you’ll see on the CISSP exam. Computer forensics encompasses all domains in which evidence is in a digital or electronic form, either in storage or on the wire. At one time computer forensics was differentiated from network and code analysis, but now this entire area is referred to as digital evidence. As a forensics discipline, computer forensics is the new kid on the block. This, paired with its complexity, may be the reason why many companies lack skills in this area. Computer forensics does not refer to hardware or software. It is a set of specific processes relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data, and computer usage that must be followed in order for evidence to be admissible in a court of law. This is not something the ordinary network administrator should be carrying out. ch10.indd 887 12/4/2009 11:39:11 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 888 The people conducting the forensics investigation must be properly skilled in this trade and know what to look for. If someone reboots the attacked system or inspects various files, this could corrupt viable evidence, change timestamps on key files, and erase footprints the criminal may have left. Most digital evidence has a short lifespan and must be collected quickly in order of volatility. In other words, the most volatile or fragile evidence should be collected first. In most situations, it is best to remove the system from the network, dump the contents of the memory, power down the system, and make a sound image of the attacked system and perform forensic ana...
View Full Document

This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.

Ask a homework question - tutors are online