Page 656 - StudyBook.pdf
P. 656

640    Chapter 11 • Operational and Organizational Security: Incident Response

             Evidence is further packaged to reduce the risk of damage such as that from ESD
             or jostling during transport. Once transported, the evidence is stored under lock
             and key to prevent tampering, until such time that it can be properly examined and
             analyzed.
                 As can be seen, the roles involved in an investigation have varying responsibili-
             ties, and the people in each role require special knowledge to perform it properly.
             While the paragraphs above provided an overview of what is involved, in the fol-
             lowing sections look at the specific tasks to understand how certain duties are car-
             ried out.


              EXAM WARNING

                  Understanding the aspects of forensic procedure is not only vital to an
                  investigation, but also for success in the Security+ exam. As with the
                  exam as a whole, a broad number of topics are covered dealing with
                  the various elements of forensics. Many of these questions are concep-
                  tual and address standard practices rather than specific tools, which
                  we’ll discuss later in this chapter. Expect the main focus of the exam to
                  address standard practices and concepts, with many of the questions
                  attempting to apply them into real world situations.





             Chain of Custody


             Because of the importance of evidence, it is essential that its continuity be main-
             tained and documented.A chain of custody must be established to show how evi-
             dence went from the crime scene to the courtroom. It proves where a piece of
             evidence was at any given time, and who was responsible for it. Documenting this
             can establish that the integrity of evidence was not compromised.
                 If the chain of custody is broken, it could be argued that the evidence fell into
             the wrong hands and was tampered with or that other evidence was substituted.
             This brings the value of evidence into question, and could make it inadmissible in
             court.To prevent this from happening, policies and procedures dealing with the
             management of evidence must be adhered to.
                 Evidence management begins at the crime scene, where it is bagged and/or
             tagged.When a crime scene is being processed, each piece of evidence must be
             sealed inside an evidence bag.An evidence bag has two-sided tape that allows it to
             be sealed shut. Once sealed, the only way to open it is by either ripping or cutting



          www.syngress.com
   651   652   653   654   655   656   657   658   659   660   661