This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ FEATURE
of contingency planning) provides a ready source of supple- / Make sure you have the authority to
mentary skills and additional resources for large or complex commence the forensic examination
investigations, and greater independence for more sensitive • The decision to examine a computer system forensically is
internal jobs. normally taken by a suitable manager, typically the person in
• It helps to get ready to visit a crime scene or evidence collec- charge of the incident management process, a senior man-
tion site before you are actually called there. If you have the ager, or a police officer.
luxury of advance warning, you should be able to prepare for a • She should be fully aware that you will be taking the system
specific location and situation. Simple things such as booking offline, and for how long. This could be a long time if you need
transportation and finding somewhere to stay can be done to conduct a full analysis, or not so long if you simply make fo-
while waiting for the callout. rensic copies of the digital evidence for the analysis and hand
• Make sure that you will recognize any source of evidence the system back. Even after that, it may take a while for IT staff
by familiarizing yourself with the types of technology likely to clean up and rebuild a compromised system.
to be involved. That does not just mean devices belonging to • Find out exactly which system is to be examined and ideally
the organization, as employees may well be using personal get this in writing.
equipment (such as mobile phones, USB thumbdrives, and • If you will be investigating an employee under suspicion of
personal digital assistants (PDAs)) at work, whether for malfeasance (such as fraud) or other circumstances where you
work activities or not, and these may contain useful digital do not wish the fact of a probe to be apparent, you need to
forensic evidence. factor this in to your planning. The examination should be con-
ducted at a time when the subject, and other people, will not
Make sure that you will
be around - normally after hours or while the subject is certain
to be somewhere else. Ensure that your actions will not be
recognize any source of observed, and will not leave traces that the subject may find.
evidence by faMiliarizing
Protection against observation by others is important not only
because they may inform the subject, but because if your sus-
yourself with the types
of technology likely to
be involved
22 Digital / ForensicS
DF1_21-26_3rd Feature.indd 22 29/10/09 5:07:58 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com