Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)

Previous Topic/Section
Previous Page
Pages in Current Topic/Section
Next Page
5.6.1  Chain of Custody
Next Topic/Section

5.6  Computer Forensics
(Page 2 of 2)

Forensic Examination Tips

Elements to keep in mind when performing a forensic examination include the following:

  • Insure that no possible evidence is destroyed, tampered with, damaged or compromised in any way by the procedures during the investigation.

  • Insure that all possibly relevant evidence is properly handled and protected from electromagnetic or mechanical damage.

  • Insure interruption to the normal process of business as minimal as possible.

  • Insure that information acquired with respect to a client-attorney relationship is not divulged.

  • Take care to not violate provisions of law, i.e. Electronic Communications Privacy Act.

  • Contact senior management.

  • A continuing chain of custody is established and maintained.

The chain of custody will be discussed in the next heading.

At the first sign of an issue:

  • Begin a journal with accurate notes, including date and times.

  • Contact management.

Take pictures including:

  • Scene

  • Computer Screen

Local laws may require Polaroid as valid evidence.

[spacer]Further Study

“Macro” level coverage of this field is in “Computer Forensics – Computer Crime Scene Investigation,”
451, by Vacca.

More technical is Computer Forensics
452 by Kruse and Heiser, providing an introduction to forensics on Windows and UNIX.

Various aspects of computer/network surveillance, initial response and evidence location on Cisco routers, Windows and UNIX are covered in Incident Response
453 by Mandia and Prosise, a great book with sheriff’s badge tips on how to make the best case, etc.

Sometimes computer forensics involves getting down to nearly the lowest possible levels of hardware. For details about disk drive hardware and formats of interest to those performing a forensic analysis of a disk drive’s contents, see Forensic Computing – A Practitioner’s Guide
454 by Sammes and Jenkinson. This book also includes a small amount of coverage on forensics applied to handhelds.

Want to get an idea of how you’d do in a real incident response situation? If you want to try your hand at investigating/solving some incident scenarios before one happens on YOUR network, check out the innovative Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios
455, by Mike Schiffman, which features descriptions of events observed, some log and other investigative info and then challenges the reader via questions as to what’s going on and how they know.

[spacer]Firewall Forensics

Both system administrators and home users wrestling with personal firewalls will find a wealth of information at...

Covering both *nix and Windows systems.

Quick navigation to subsections and regular topics in this section


451. Vacca, John R., Computer Forensics: Computer Crime Scene Investigation, Charles River Media, June, 2002,

452. Kruse, Warren G. and Jay G. Heiser, Computer Forensics, Addison-Wesley, September 2001,

453. Mandia, Kevin and Chris Prosise, Incident Response: Investigating Computer Crime, Osborne, July, 2001,

454. Sammes, Tony and Brian Jenkinson, Forensic Computing: A Practitioner’s Guide, Springer-Verlag, October, 2000,

455. Schiffman, Mike, Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios, Osborne, October, 2001,

Previous Topic/Section
Previous Page
Pages in Current Topic/Section
Next Page
5.6.1  Chain of Custody
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.