This preview shows page 1. Sign up to view the full content.
Unformatted text preview: s at the analysis stage where computer forensics comes into
play. Management must decide if law enforcement should be brought in to carry out
the investigation, if evidence should be collected for the purposes of prosecution, or if
the hole should just be patched. Most companies do not have a forensics team on staff
to carry out these tasks. In such situations, if a suspected crime has occurred and management does not want law enforcement involved but does want a forensics investigation carried out, external forensics experts need to be called in.
We’ll go over computer forensics in detail in the next section. For now, it’s important to know that an investigation must adhere to company policy as well as applicable
laws and regulations.
NOTE Be careful not to confuse incident response with computer forensics.
Although they are both investigative in nature, the terms are not synonymous.
Computer forensics has a higher standard of proof than incident response
because the assumption is that the evidence must be admissible in a court of
law and is handled accordingly.
The next stage is containment. In the medical world, if you were found to have tuberculosis, you would be put in an isolation room because no one wants to catch your ch10.indd
ch10.indd 884 12/4/2009 11:39:10 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 885
cooties. In the containment phase, the damage must be mitigated. In the computer
world, this could mean that an infected server is taken off the network, firewall configurations are changed to stop an attacker, or the system that is under attack is disconnected from the Internet.
A proper containment strategy buys the incident response team time for a proper
investigation and determination of the incident’s root cause. The containment strategy
should be based on the category of the attack (that is, whether it was internal or external), the assets affected by the incident, and the...
View Full Document
This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.
- Fall '12