This preview shows page 1. Sign up to view the full content.
Unformatted text preview: in the proper ways to make
it admissible in court. Without proper computer forensics, hardly any computer crimes
could ever be properly and successfully presented in court.
The most common reasons for improper evidence collection are no established
incident response team, no established incident response procedures, poorly written
policy, and a broken chain of custody.
NOTE A chain of custody is a history that shows how evidence was
collected, analyzed, transported, and preserved in order to be presented in
court. Because electronic evidence can be easily modified, a clearly defined
chain of custody demonstrates that the evidence is trustworthy.
The next step is the analysis of the evidence. Forensic investigators use a scientific
method that involves
• Determining the characteristics of the evidence, such as whether it’s
admissible as primary or secondary evidence as well as its source, reliability,
and permanence ch10.indd 896 12/4/2009 11:39:12 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 897
• Comparing evidence from different sources to determine a chronology of
• Event reconstruction, including the recovery of deleted files and other activity
on the system
This can take place in a controlled lab environment or, thanks to hardware writeblockers and forensic software, in the field. When investigators analyze evidence in a
lab, they are dealing with dead forensics; that is, they are working only with static
data. Live forensics, which takes place in the field, includes volatile data. If evidence
is lacking, then an experienced investigator should be called in to help complete the
Finally, the interpretation of the analysis should be presented to the appropriate
party. This could be a judge, lawyer, CEO, or board of directors. Therefore, it is important to present the findings in a format that will be understood by a nontechnical audience. As a CISSP, you should be ab...
View Full Document
This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.
- Fall '12