Make certain your actions are repeatable prioritize

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: le to explain these findings in layman’s terms using metaphors and analogies. Of course the findings, which are top secret or company confidential, should only be disclosed to authorized parties. This may include the legal department or any outside counsel that assisted with the investigation. The Australian Computer Emergency Response Team’s General Guidelines for Computer Forensics • Keep the handling and corruption of original data to a minimum. • Document all actions and explain changes. • Follow the Five Rules for Evidence (Admissible, Authentic, Complete, Accurate, Convincing). • Bring in more experienced help when handling and/or analyzing the evidence is beyond your knowledge, skills, or abilities. • Adhere to your organization’s security policy and obtain written permission to conduct a forensics investigation. • Capture as accurate an image of the system(s) as possible while working quickly. • Be ready to testify in a court of law. • Make certain your actions are repeatable. • Prioritize your actions, beginning with volatile and proceeding to persistent evidence. • Do not run any programs on the system(s) that are potential evidence. • Act ethically and in good faith while conducting a forensics investigation, and do not attempt to do any harm. ch10.indd 897 12/4/2009 11:39:12 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 898 What Is Admissible in Court? He is guilty because I don’t like him. Response: Um, I need more than that. Computer logs are important in many aspects of the IT world. They are generally used to troubleshoot an issue or to try to understand the events that took place at a specific moment in time. When computer logs are to be used as evidence in court, they must be collected in the regular course of business. Most of the time, computer-related documents are considered hearsay, meaning the evidence is secondhand evidence. Hearsay evidence is not normally admissible in court unless it has firsthand e...
View Full Document

This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.

Ask a homework question - tutors are online