|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
5.6 Computer Forensics
(Page 2 of 2)
Forensic Examination Tips
Elements to keep in mind when performing
a forensic examination include the following:
- Insure that no possible evidence is destroyed,
tampered with, damaged or compromised in any way by the procedures during
- Insure that all possibly relevant evidence is
properly handled and protected from electromagnetic or mechanical damage.
- Insure interruption to the normal process of
business as minimal as possible.
- Insure that information acquired with respect
to a client-attorney relationship is not divulged.
- Take care to not violate provisions of law, i.e.
Electronic Communications Privacy Act.
- Contact senior management.
- A continuing chain of custody is established
The chain of custody will be discussed
in the next heading.
At the first sign of an issue:
- Begin a journal with accurate notes, including
date and times.
- Contact management.
Take pictures including:
Local laws may require Polaroid as
Macro level coverage of this field is in Computer Forensics Computer Crime Scene Investigation,451, by Vacca.
More technical is Computer Forensics452 by Kruse and Heiser, providing an introduction to forensics on Windows and UNIX.
Various aspects of computer/network surveillance, initial response and evidence location on Cisco routers, Windows and UNIX are covered in Incident Response 453 by Mandia and Prosise, a great book with sheriffs badge tips on how to make the best case, etc.
Sometimes computer forensics involves getting down to nearly the lowest possible levels of hardware. For details about disk drive hardware and formats of interest to those performing a forensic analysis of a disk drives contents, see Forensic Computing A Practitioners Guide454 by Sammes and Jenkinson. This book also includes a small amount of coverage on forensics applied to handhelds.
Want to get an idea of how youd do in a real incident response situation? If you want to try your hand at investigating/solving some incident scenarios before one happens on YOUR network, check out the innovative Hackers Challenge: Test Your Incident Response Skills Using 20 Scenarios455, by Mike Schiffman, which features descriptions of events observed, some log and other investigative info and then challenges the reader via questions as to whats going on and how they know.
451. Vacca, John R., Computer Forensics: Computer Crime Scene Investigation, Charles River Media, June, 2002, http://www.nerdbooks.com/item.html?id=1584500182
452. Kruse, Warren G. and Jay G. Heiser, Computer Forensics, Addison-Wesley, September 2001, http://www.nerdbooks.com/item.html?id=0201707195
453. Mandia, Kevin and Chris Prosise, Incident Response: Investigating Computer Crime, Osborne, July, 2001, http://www.nerdbooks.com/item.html?id=0072131829
454. Sammes, Tony and Brian Jenkinson, Forensic Computing: A Practitioners Guide, Springer-Verlag, October, 2000, http://www.nerdbooks.com/item.html?id=1852332999
455. Schiffman, Mike, Hackers Challenge: Test Your Incident Response Skills Using 20 Scenarios, Osborne, October, 2001, http://www.nerdbooks.com/item.html?id=0072193840
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.