Indd 896 1242009 113912 am all in 1 cissp all in one

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: in the proper ways to make it admissible in court. Without proper computer forensics, hardly any computer crimes could ever be properly and successfully presented in court. The most common reasons for improper evidence collection are no established incident response team, no established incident response procedures, poorly written policy, and a broken chain of custody. N OTE NOTE A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy. The next step is the analysis of the evidence. Forensic investigators use a scientific method that involves • Determining the characteristics of the evidence, such as whether it’s admissible as primary or secondary evidence as well as its source, reliability, and permanence ch10.indd 896 12/4/2009 11:39:12 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 897 • Comparing evidence from different sources to determine a chronology of events • Event reconstruction, including the recovery of deleted files and other activity on the system This can take place in a controlled lab environment or, thanks to hardware writeblockers and forensic software, in the field. When investigators analyze evidence in a lab, they are dealing with dead forensics; that is, they are working only with static data. Live forensics, which takes place in the field, includes volatile data. If evidence is lacking, then an experienced investigator should be called in to help complete the picture. Finally, the interpretation of the analysis should be presented to the appropriate party. This could be a judge, lawyer, CEO, or board of directors. Therefore, it is important to present the findings in a format that will be understood by a nontechnical audience. As a CISSP, you should be ab...
View Full Document

This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.

Ask a homework question - tutors are online