Page 650 - StudyBook.pdf
P. 650

634    Chapter 11 • Operational and Organizational Security: Incident Response

             critical servers are taken offline during forensic examinations. Backup equipment
             may be used to replace these servers or other devices, so that employees can still
             perform their jobs and, in the case of e-commerce sites, customers can still make
             purchases.A goal of any investigation is to avoid negatively impacting normal busi-
             ness practices as much as possible.

             Conceptual Knowledge
             Computer forensics is a relatively new field that emerged in law enforcement in
             the 1980s. Since then, it has become an important investigative practice for both
             police and corporations. Not only do most larger police departments have their
             own technological crime units, but many larger companies also have IT staff
             trained in responding to such incidents, inclusive to using tools and techniques sim-
             ilar to those of the police. In doing so, they use scientific methods to retrieve and
             document evidence located on computers and other electronic devices. Retrieving
             this information may result in the only evidence available to convict a culprit or
             enhance more traditional evidence obtained through other investigative techniques.
                 Computer forensics uses specialized tools and techniques that are accepted in
             court. Using these tools, digital evidence may be retrieved in a variety of ways.
             Electronic evidence may still reside on hard disks and other devices, even if it has
             been deleted through normal computer functions or hidden in other ways.
             Forensic software can reveal the data that is invisible through normal channels, and
             restore it to a previous state.


              TEST DAY TIP

                  Forensics has four basic components: evidence must be collected, exam-
                  ined, preserved, and presented. The tasks involved in forensics will
                  either fall into one of these groups, or be performed across most or all
                  of them. A constant element is the need for documentation so that
                  every action in the investigation is recorded. When taking the test,
                  remember the four basic components and that everything must be doc-
                  umented.





             Understanding

             An important function of computer forensics is making people understand what
             has happened, and what the evidence indicates. In any forensic investigation, there



          www.syngress.com
   645   646   647   648   649   650   651   652   653   654   655