| When an unauthorized incident occurs against your | | | | should process computer evidence in order to ensure |
| network, such as an attacker breaking though your | | | | that integrity is maintained and the data obtained can |
| network's defenses, an appropriate response is | | | | withstand scrutiny in a court of law. |
| required. The response to the intrusion includes using | | | | The computer forensics team should capture any data |
| forensic science to properly respond to the event. | | | | that may be lost when the computer is turned off |
| Forensic science, or forensics, is the application of | | | | including: |
| science to problems that are of interest to the legal | | | | - RAM contents |
| profession and deals mainly with the recovery and | | | | - Current network connections |
| analysis of evidence. Computer forensics attempts to | | | | - Logon sessions |
| retrieve information that can be used in pursuit of the | | | | - Network configurations |
| attacker or criminal. | | | | - Open files |
| Computer forensics is also called digital forensics | | | | After the volatile data is preserved the team should |
| because its uses techniques to identify, collect, | | | | create a mirror image backup of the hard drive. A |
| examine and preserve information or evidence, which | | | | mirror image backup, or bit-stream backup, is an |
| is magnetically stored or encoded. | | | | evidence-grade backup that is admissible in court and |
| When your team responds to a criminal event that | | | | must be done in a controlled manner by trained |
| requires an examination using computer forensics, | | | | professional. |
| there are generally four basic steps that are followed. | | | | Establishing the chain of custody documents who had |
| | | | access to the evidence and when. Serial numbers |
| 1. Secure the crime scene | | | | should be recorded and the evidence should be kept |
| 2. Collect and preserve evidence | | | | under strict control at all times. |
| 3. Establish a chain of custody | | | | Finally, after the mirror image is created and the original |
| 4. Examine evidence | | | | system is secured, then the mirror image is examined |
| The first step in reacting to a computer forensics | | | | to reveal evidence. |
| incident is for the first responders to secure the crime | | | | All data should be investigated for clues including: |
| scene. The response team should document the | | | | - Word processing documents |
| physical surroundings of the computer or electronic | | | | - Spreadsheets |
| device that is suspected of containing digital evidence. | | | | - Emails |
| This includes photographing the area from different | | | | - Caches |
| angles before anything is touched and labeling cables | | | | - Cookies |
| connected to the computer. | | | | - Metadata |
| Additionally, the team should interview anyone who | | | | - Database entries |
| had access to the computer and take custody of the | | | | Additional sources of hidden clues may come from |
| entire computer along with the keyboard, external | | | | RAM Slack or Drive Slack. When Windows |
| memory devices, and peripherals. | | | | computers use memory to process data information |
| Since digital evidence is easily altered or destroyed, | | | | that has been created, viewed, modified, downloaded, |
| only properly trained computer evidence specialists | | | | or copied it may still be available. |