This preview shows page 1. Sign up to view the full content.
Unformatted text preview: 12/4/2009 11:39:12 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 896
When copies of data need to be made, this process must meet certain standards to
ensure quality and reliability. Specialized software for this purpose can be used. The
copies must be able to be independently verified and must be tamperproof.
Each piece of evidence should be marked in some way with the date, time, initials
of the collector, and a case number if one has been assigned. Magnetic disk surfaces
should not be marked on. The piece of evidence should then be sealed in a container,
which should be marked with the same information. The container should be sealed
with evidence tape, and if possible the writing should be on the tape so a broken seal
can be detected.
NOTE The chain of custody of evidence dictates that all evidence be labeled
with information indicating who secured and validated it. Wires and cables should be labeled, and a photograph of the labeled system should
be taken before it is actually disassembled. Media should be write-protected. Storage
should be dust free and kept at room temperature without much humidity, and, of
course, the media should not be stored close to any strong magnets or magnetic fields.
If possible, the crime scene should be photographed, including behind the computer if the crime involved some type of physical break-in. Documents, papers, and
devices should be handled with cloth gloves and placed into containers and sealed. All
storage media should be contained, even if it has been erased, because data still may be
Because this type of evidence can be easily erased or destroyed and is complex in
nature, identification, recording, collection, preservation, transportation, and interpretation are all important. After everything is properly labeled, a chain of custody log should
be made of each container and an overall log should be made capturing all events.
For a crime to be successfully prosecuted, solid evidence is required. Computer forensics is the art of retrieving this evidence and preserving it...
View Full Document
- Fall '12