Page 648 - StudyBook.pdf
P. 648

632    Chapter 11 • Operational and Organizational Security: Incident Response


                Gathering Evidence
                Legal differences exist between how a private citizen and law enforce-
           Head of the Class…  of this, evidence that is collected prior to involving law enforcement is
                ment can gather evidence. There are stricter guidelines and legislation
                controlling how agents of the government may obtain evidence. Because

                less vulnerable to being excluded in court.
                     Constitutional protection against illegal search and seizure applies
                to government agents (such as the police), but may not apply to private
                citizens. Before a government agent can search and seize computers and
                other evidence, a search warrant, consent, or statutory authority (along
                with probable cause) must be obtained. This does not apply to private cit-
                izens, unless they are acting as an “agent of the government” and
                working under the direction or advice of law enforcement or other gov-
                ernment parties.
                     Although fewer restrictions apply to private citizens, forensic proce-
                dures should still be followed. Failing to follow forensic procedures may
                result in lost or unusable evidence. The procedures outlined in this sec-
                tion will help to preserve evidence and ensure it is considered admissible
                in court.

             Awareness

             The first security issue that should be dealt with is promoting awareness. Often,
             users of a system are the first to notice and report problems. If someone notices a
             door to a server room is unlocked, you want that person to notify someone so the
             door can be locked.The same applies to issues that are criminal, breach corporate
             policy, or violate security in some other way. Until the proper parties are notified,
             computer forensic examinations cannot be performed, because those in a position
             to perform them do not know a problem exists.
                 Incident response policies should be implemented to provide an understanding
             of how certain incidents should be dealt with, and who will deal with them.
             Incident response teams have the general responsibilities of identifying what hap-
             pened, assessing and containing damage, and restoring normal operations, but the
             primary functions of computer forensics is to collect evidence that will identify
             what happened and who is responsible.To allow a system to be restored without
             destroying evidence, those performing computer forensic services must work in
             conjunction with those performing normal incident response duties.The policy
             should outline these responsibilities and identify an Incident Response Team, which
             must be notified of the issues and who has the knowledge and skills to deal with
             them effectively, and also identify which members are trained in computer foren-



          www.syngress.com
   643   644   645   646   647   648   649   650   651   652   653