Security+ Guide to Network Security Fundamentals

This preview shows page 9 - 11 out of 12 pages.

2. Note that after the response team arrives, the first job is to secure the crime scene a. The physical surroundings of the computer should be clearly documented. b. Photographs of the area should be taken before anything is touched. c. The computer should be photographed from several angles. d. Cables connected to the computer should be labeled. e. The team should take custody of the entire computer along with the keyboard and any peripherals. In addition, USB flash drives and any other media must be secured. f. The team must also interview witnesses and everyone who had access to the system and document their findings, including what they were doing with the system, what its intended functions were, and how it is affected by the unauthorized actions. g. The length of time that has passed from the initial incident should be noted. 3. Emphasize that only properly trained computer evidence specialists should process computer evidence so that the integrity of the evidence is maintained and can hold up in a court of law. 4. Describe some of the recommendations for preserving the evidence, including: a. Team should first capture any volatile data. b. The team should next focus on the hard drive. c. Mirror image backups replicate all sectors of a computer hard drive, including all files and any hidden data storage areas. 5. Define the chain of custody as documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence. 6. Explain that after a computer forensics expert creates a mirror image of a system, the original system is secured, and the mirror image is examined to reveal evidence. This includes searching word processing documents, e-mail files, spreadsheets, and other documents for evidence. 7. Mention that hidden clues can also be mined and exposed, including the Windows page file. Another source of hidden data is called slack. 8. Explain that RAM slack can contain any information that has been created, viewed, modified, downloaded, or copied since the computer was last booted. Use Figure 13-10 to illustrate your explanation. 9. Explain that drive file slack (sometimes called drive slack) contains remnants of previously deleted files or data from the format pattern associated with disk storage space that has yet to be used by the computer. Use Figure 13-11 to illustrate your explanation. 10. Mention that an additional source of hidden clues can be gleaned from metadata, or data about data.
Image of page 9

Subscribe to view the full document.

Security+ Guide to Network Security Fundamentals, Fourth Edition 13-10 Quick Quiz 2 1. A(n) ____ is information copied to a different medium and stored at an offsite location so that it can be used in the event of a disaster. Answer: data backup 2. ____, also known as forensic science, is the application of science to questions that are of interest to the legal profession.
Image of page 10
Image of page 11
You've reached the end of this preview.
  • '
  • NoProfessor
  • Hard disk drive, Network Security Fundamentals, Security+ Guide

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern