Page 35 - Security+ (635 notes by Nikkhah)
P. 35
Incident response policy
588- This policy describes how employees will respond to unexpected incidents involving
personal and organizational safety and security.
589- It describes how incidents are to be handled without causing a panic.
590- It asks the following common questions:
— Who will investigate and analyze the reasons behind the incident?
— Who will find an immediate and acceptable solution to the problem caused by the incident?
— What other documents can be referred to in order to help resolve the problem?
Computer forensics
591- Computer forensics is the application of computer expertise to establish factual
information for judicial review.
592- It involves activities such as collection, preservation, examination, and transfer of
information using electronic media.
593- All electronic crimes are reported to the incident response team.
594- The first responder identifies and protects the crime scene.
595- The investigator establishes a chain of command/chain of custody, conducts a search,
and maintains the integrity of the evidence.
596- The crime scene technician preserves volatile evidence, duplicates computer disks, shuts
down the system for transportation, and logs activities.
Chain of custody
597- A chain of custody describes how the evidence is transferred from the crime scene to the
court of law.
598- It specifies the personnel responsible for maintaining and preserving the evidence.
599- It is entered in an evidence log and specifies the persons who possessed the evidence or
who worked on it.
Preservation of evidence
600- Crime scene data is protected from being damaged.
601- Steps are taken to preserve the volatile data first.
602- Photographs of screens are taken.
603- Images of hard disks are made using accepted imaging tools.
www.hrnikkhah.com by : Hamid Reza Nikkhah Page 33
