This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ FEATURE
• Replace the evidential image in the safe, completing the if possible address the root causes of the incident, and (2) to
chain-of-custody form. improve the investigative process, learning from how the inci-
• If necessary, retrieve any files or other information that the dent was handled and being better prepared for the next one.
user legitimately needs, on their behalf, from the working • Such reviews are best led by someone independent, gener-
copy. (Do not hand over your working copies – they are valu- ally a manager, auditor or consultant who was not intimately
able and probably contain sensitive evidence relating to the involved in the incident investigation but has the trust of the
case). This decision and the associated process need to be team and can assess the situation dispassionately.
documented to minimize the risk of inappropriately disclosing • Remember that the goal is not to apportion blame but to
information or compromising the case. learn and improve. It is just as important to identify the things
that went well as those that did not.
You do not want to find
• There are diminishing returns as processes mature, so it is
not necessary to review every single incident. The frequency
Yourself in the position of
should be at management’s discretion.
having to defend and justifY
/ Conclusion
Your methods on the
The process described in this paper and summarized in Figure
witness stand unless You
1’s flowchart encapsulates commonplace forensic practices, but
only in a generic way. It should be checked and customized by
are sure of Your ground
competent people to suit your particular circumstances and re-
quirements. The legal rules and practices regarding the admissi-
/ Forensically examine the working copies bility of evidence, for instance, vary between jurisdictions. You do
• Follow sound forensic practices carefully so there is no not want to find yourself in the position of having to defend and
doubt in court about what you did to reveal and examine the justify your methods on the witness stand unless you are sure of
evidence, and no question that what you found would also be your ground, and the best time to gain that confidence is now,
found by another competent forensic examiner working from while you have the time to research, think and seek qualified ad-
the same original evidence and following the processes you vice, and before you are called upon for real. Keep the procedure
may be asked to describe in detail. succinct and clear to make it simpler to follow in training sessions
• Record what you do and what you find immediately in your or during investigations, and easier to explain in court. /
fieldwork notes throughout the analytical process. It is gener-
ally advisable to use a hardbound (not loose leaf) notebook
for this purpose, recording the date and if necessary the time
/ Author Bio
of every stage or major activity and supporting details where Dr Gary Hinson PhD MBA CISSP has
necessary. You may find it worthwhile also to video your analy-
more than two decades’ experience as
practitioner, manager and consultant
sis to cut down the amount of note-taking required, but only if
in the field of information security, risk
the video is likely to be admissible evidence. (Another reason
and IT audit. Gary runs the information
for recording a video is that you want it as a training aid). Stay security awareness subscription service
professional and avoid contaminating notes and evidence
NoticeBored (www.NoticeBored.com)
and spends his days writing awareness materials in an idyllic
with irrelevant information such as personal notes or doodles.
hideaway in rural New Zealand. He is also actively involved
Superfluous material makes it harder for the court to focus on
in developing the ISO/IEC 27000-series information security
the key issues and may even raise concerns about the compe- management standards and shares his passion through
tence or integrity of the investigative team and process.
www.ISO27001security.com.
• You may need to search for hidden data, deleted files etc.
following sound forensic practices. This can get highly technical
but many tools exist to support this type of work and the inves-
/ Author Bio
tigators should have been adequately trained beforehand.
• If you are not forensically skilled and experienced, or are
Robert Slade is a data communications and
security specialist from North Vancouver,
unduly concerned about your responsibilities in this case, con-
British Columbia, Canada. His research into
sider sending a working copy to a predetermined competent computer viral programs started when they
and trustworthy specialist digital forensic examiner who can
first appeared as a major problem “in the
conduct the analysis, prepare a forensic report on your behalf
wild”. He has since become known for “Mr.
Slade’s lists” of antiviral software vendors,
and, if necessary, appear in court as an expert witness to
antiviral reviews, antiviral evaluation FAQ, and virus books. One
explain the process and findings. of the working group for the VIRUS-L FAQ, he is best known for
a series of review and tutorial articles which have recently been
/ Conduct a post incident review
published as “Robert Slade’s Guide to Computer Viruses”. As
an outgrowth of the virus research, he prepared the world’s first
• Following any significant information security incident and
course on forensic programming (aka software forensics), and
investigation, it is good practice to conduct a post-incident he wrote a book on that, too.
review. The primary objectives are twofold: (1) to examine and
26 Digital / ForensicS
DF1_21-26_3rd Feature.indd 26 29/10/09 5:08:00 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com