tailieunhanh - Chapter 20 – Forensics

Forensics – What is it? Main concerns Investigating and analyzing computer systems used in violation of laws Investigating computer systems for compliance with company policies Investigating computers systems that have been attacked. (part of incident response) | Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki Forensics Forensics – What is it? Main concerns Investigating and analyzing computer systems used in violation of laws Investigating computer systems for compliance with company policies Investigating computers systems that have been attacked. (part of incident response) Forensics and Laws Forensics deals with legal concerns more than most other IT related duties. Evidence must be collected if you want to take legal action. Computers and networks is troubling with evidence as it is hard to “sense” and hard to prove. In fact it’s generally considered “hearsay” evidence Random Thought Unlike many other areas of security which can mix and match. Forensics should always be done by a dedicated forensics person. Forensics is a structured PROCESS for data and evidence collection and should always be done by someone who specifically focuses on these processes and proceedures Standards for Evidence For evidence to be . | Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki Forensics Forensics – What is it? Main concerns Investigating and analyzing computer systems used in violation of laws Investigating computer systems for compliance with company policies Investigating computers systems that have been attacked. (part of incident response) Forensics and Laws Forensics deals with legal concerns more than most other IT related duties. Evidence must be collected if you want to take legal action. Computers and networks is troubling with evidence as it is hard to “sense” and hard to prove. In fact it’s generally considered “hearsay” evidence Random Thought Unlike many other areas of security which can mix and match. Forensics should always be done by a dedicated forensics person. Forensics is a structured PROCESS for data and evidence collection and should always be done by someone who specifically focuses on these processes and proceedures Standards for Evidence For evidence to be considered credible it generally must be Sufficient – convincing on it’s own Competent – legally allowed and “reliable” Relevant – must be material to the case and have bearing on the matter in question (more) Types of Evidence Some evidence is “stronger” than others. There are a few types of evidence Direct Evidence - supports the truth of an assertion – example a witness who testifies they were present with and saw when a hacker broke into something. Circumstantial Evidence – indirectly proves a fact, may back up another fact that is used to prove an something. Real Evidence – tangible evidence that proves or disproves a fact. (ex fingerprints) (more) Types of Evidence Documentary Evidence – printouts, manuals, records etc. Most type of computer evidence is of this type Demonstrative Evidence – a model or display used to aid the jury in understanding that an event occurred. 3 rules of evidence Best Evidence rule – courts prefer the original evidence, rather than copies. Exclusionary rule –