Page 647 - StudyBook.pdf
P. 647

Operational and Organizational Security: Incident Response • Chapter 11  631

                 Because any facts acquired may become evidence in court, standard computer
                 forensics techniques must be used to protect the integrity of potential evidence.
                    Computer forensics is the application of computer skills and investigation tech-
                 niques for the purpose of acquiring evidence. It involves collecting, examining, pre-
                 serving, and presenting evidence that is stored or transmitted in an electronic
                 format. Because the purpose of computer forensics is its possible use in court, strict
                 procedures must be followed for evidence to be admissible.
                    Even if an incident is not criminal in nature, forensic procedures are important
                 to follow.There may be incidents where employees have violated policies.These
                 actions can result in disciplinary actions (up to and including termination of
                 employment). Such actions must be based on sound evidence to protect the com-
                 pany from a wrongful termination or discrimination lawsuit, or other charges by the
                 disciplined employee. If such a suit is filed, the documentation will become evidence
                 in the civil trial. (Policies and procedures are covered in detail in Chapter 12.)
                    For example, an employee may have violated a company’s acceptable use policy
                 by viewing pornography during work hours. Using forensic procedures to investi-
                 gate the incident creates a tighter case against the employee, thereby making it diffi-
                 cult for the employee to argue the facts.Also, if during an investigation illegal
                 activities are found to have taken place (such as possession of child pornography),
                 the internal investigation becomes a criminal one.Any actions taken in the investi-
                 gation would be scrutinized, and anything found could be evidence in a criminal
                 trial.
                    As will be seen in the following sections, there are a number of standards that
                 must be met to ensure that evidence is not compromised and that information has
                 been obtained correctly. If forensic procedures are not followed, judges may deem
                 evidence inadmissible, defense lawyers may argue its validity, and a case may be sig-
                 nificantly damaged. In many cases, the only evidence available is that which exists
                 in a digital format.This could mean that the ability to punish an offender rests with
                 the security professional’s abilities to collect, examine, preserve, and present evi-
                 dence.

















                                                                              www.syngress.com
   642   643   644   645   646   647   648   649   650   651   652