Security + Exam Guide (Charles River Media Networking/Security)

Computer forensics can be described easily as an investigation of a computer network or system in hopes of recovering data and other information that can be used as evidence to properly prosecute the sources responsible for a computer-related theft of crime. Computer forensics is concerned with how laws apply to computer science and technology in general. Its focus is on the collection and preservation of computer-related information and evidence in order to prove that a computer crime has occurred.

In today's electronic world, most information is stored on media such as hard drives, CD-ROMs, floppy disks, and other forms of electronic storage. The extraction processes that take place to find hidden file formats, secrets, files that have been encrypted, and other evidence from these types of media are the main focus of computer forensics.

Typically, a third party is used to provide the recovery and extraction of information from a system that has been damaged. Special software and the ability to find traces of malicious activity very quickly are the skills and tools held by most third-party computer forensic specialists. Most network administrators carry out computer forensics techniques on a daily basis but don't necessarily call it forensics. They call it auditing, logging, data backup, and data restoration. You will have to know what forensics is for the exam. However, it is likely that you won't get hammered with questions concerning computer forensics. This is a fairly new area that will be targeted more heavily in future security related examinations.

Evidence Collection and Preservation

The proper collection, storage, preservation, and protection of evidence that has been identified on media or a system that has compromised are critical to the evidence life cycle concerning computer forensics.

If potential evidence is corrupted, damaged, or not handled with Due Care, the evidence might not be admissible in a court of law. The following items should be considered when collecting, handling, storing, and transporting possible computer-related forensic evidence:

• It is imperative during the collection stage of the forensic process that no information is damaged, misplaced, or destroyed. In other words, if you are investigating a compromised system and manage to delete or modify code or information that is considered evidence, you might have just ruined your chances of providing accurate evidence. Another consideration is that you must not further infect a possibly compromised system. When considered compromised, a system should be disconnected immediately from a network and other resources. If a system has been purposely infected with code or a virus from one source and is further infected during the investigation process, it is possible that any evidence obtained will not be admissible for legal proceedings.

• The system or media being examined must include documented information pertaining to file structure and all other identified system information. The documentation must contain the signature of the person examining the information and the date it was examined.

• Once the evidence has been extracted and gathered, it is of utmost importance that it is properly handled, stored, and packaged. Rubber, static-free gloves should be worn when handling evidence so as to avoid further fingerprints. The evidence should be stored in a sealed container. The container and all pertinent information must be labeled and documented. This documentation must include the signature of the person carrying out the investigation and the date the investigation took place.

• Evidence should be transported to a third-party storage facility until it is presented as legal evidence in a trail or proceeding, or is returned to its original location or owner. It is important that the same level of care is taken when transporting the evidence to a legal proceeding as it was taken when the evidence was stored originally.

• A chain of custody must be in place to ensure that it is always known where the evidence is physically located and who has possession of it. A secured logbook should be used as a verification and identification tool during this process.

The National Institute of Standards and Technology is an excellent site that has a wealth of information regarding Forensics. For more information, visit the NIST at http://www.nist.gov/. For another great explanation of Forensics visit http://www.forensics-intl.com/def4.html.