Page 655 - StudyBook.pdf
P. 655

Operational and Organizational Security: Incident Response • Chapter 11  639



                 NOTE
                      To reduce the length of the chain of custody, and limit the number of
                      people needed to testify as having possession of the evidence, you
                      should limit the number of people collecting evidence. It is a best prac-
                      tice (whenever possible) to have only one person collecting all of the
                      electronic evidence. This may not always be practical in larger investiga-
                      tions, where numerous machines need to be examined for possible evi-
                      dence. However, even in these situations, you should not have more
                      people than absolutely necessary accessing the scene and the evidence
                      contained within it.




                    A chain of command should be established when the person investigating the
                 incident arrives at the scene.The investigator should make it clear that they are in
                 charge, so that important decisions are made or presented to them.A chain of cus-
                 tody should also be established, documenting who handled or possessed evidence
                 during the course of the investigation and every time that evidence is transferred to
                 someone else’s possession. Once the investigation begins, anyone handling the evi-
                 dence is required to sign it in and out, so that there is a clear understanding of who
                 possessed the evidence at any given time.
                    Even if the first responder has conducted an initial search for evidence, the
                 investigator will need to establish what constitutes evidence and where it resides. If
                 additional evidence is discovered, the perimeter securing the crime scene may be
                 changed.The investigator will either have crime scene technicians begin to process
                 the scene once its boundaries are established, or the investigator will perform the
                 duties of the technician.The investigator or a designated person remains at the
                 scene until all evidence has been properly collected and transported.
                 The Crime Scene Technician

                 Crime scene technicians are individuals who have been trained in computer forensics,
                 and have the knowledge, skills, and tools necessary to process a crime scene.
                 Technicians are responsible for preserving evidence, and make great effort to do so.
                 The technician may acquire data from a system’s memory, make images of hard
                 disks before shutting them down, and ensure that systems are properly shut down
                 before transport. Before transporting, all physical evidence is sealed in a bag and/or
                 tagged to identify it as a particular piece of evidence.The information identifying
                 the evidence is added to a log so that a proper inventory of each piece exists.



                                                                              www.syngress.com
   650   651   652   653   654   655   656   657   658   659   660