Nội dung

Chapter 13: Advanced Security and Beyond Security+ Guide to Network Security Fundamentals Second Edition Objectives • Define computer forensics • Respond to a computer forensics incident • Harden security through new solutions • List information security jobs and skills Understanding Computer Forensics • Computer forensics can attempt to retrieve information—even if it has been altered or erased— that can be used in the pursuit of the criminal • The interest in computer forensics is heightened: – High amount of digital evidence – Increased scrutiny by legal profession – Higher level of computer skills by criminals Forensics Opportunities and Challenges • Computer forensics creates opportunities to uncover evidence impossible to find using a manual process • One reason that computer forensics specialists have this opportunity is due to the persistence of evidence – Electronic documents are more difficult to dispose of than paper documents Forensics Opportunities and Challenges (continued) • Ways computer forensics is different from standard investigations: – Volume of electronic evidence – Distribution of evidence – Dynamic content – False leads – Encrypted evidence – Hidden evidence Responding to a Computer Forensics Incident • Generally involves four basic steps similar to those of standard forensics: – Secure the crime scene – Collect the evidence – Establish a chain of custody – Examine and preserve the evidence Securing the Crime Scene • Physical surroundings of the computer should be clearly documented • Photographs of the area should be taken before anything is touched • Cables connected to the computer should be labeled to document the computer’s hardware components and how they are connected • Team takes custody of the entire computer along with the keyboard and any peripherals Preserving the Data • Computer forensics team first captures any volatile data that would be lost when computer is turned off and moves data to a secure location • Includes any data not recorded in a file on the hard drive or an image backup: – Contents of RAM – Current network connections – Logon sessions – Network configurations – Open files Preserving the Data (continued) • After retrieving volatile data, the team focuses on the hard drive • Mirror image backup (or bit-stream backup) is an evidence-grade backup because its accuracy meets evidence standards • Mirror image backups are considered a primary key to uncovering evidence; they create exact replicas of the computer contents at the crime scene • Mirror image backups must meet the criteria shown on pages 452 and 453 of the text Establishing the Chain of Custody • As soon as the team begins its work, must start and maintain a strict chain of custody • Chain of custody documents that evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence