The ABC of Cybersecurity: How to prevent Phishing & Social Engineering Attacks, Incident Management Best Practices and Cybersecurity Awareness for Employees by Miller Mike & Miller Mike

Author:Miller, Mike & Miller, Mike [Miller, Mike]
Language: eng
Format: epub
Published: 2020-11-04T00:00:00+00:00

Chapter 35 How to Collect Evidence

Yet another critical aspect of the investigator's job is evidence collection and control. We cannot emphasize how significant this is to the investigation. Evidence collection is essentially, from our computer forensics point of view, the preservation, the acquisition, discovery, analysis, and documentation of the evidence, and sometimes that also includes the presentation of the evidence as well. Essentially, you're collecting the evidence, you're taking care of it, and you’re making sure that nothing happens to it, that it doesn't change at all, especially in a digital environment. Evidence control is probably one of the most important parts of the investigation. This is because this has to be done right the first time. If you don't control evidence or if it gets tainted in any way, then your case is done essentially. Keep in mind that digital evidence can be changed very easily. If one single bit in a hard drive flips from a 0 to a 1, that's changing the evidence. More often, we're concerned with changing the timestamps of evidence or the addition or deletion of files. We have to obtain evidence, especially digital evidence in a legally and forensically sound manner using tried and true techniques that can be reproduced and examined in a court of law. Because we may be investigating this as a crime, evidence has to be also handled in accordance with the law and from a legal perspective. It's different than just taking an image of a hard drive and taking it to the office and looking at it to see if someone's been surfing the net for unacceptable things in a company. You, as the investigator, have to ensure that the evidence has been acquired forensically and is controlled at all times. It also must be documented at every step of the way. One of the things that an investigator learns first is how to treat the crime scene. It should be handled with care. It should be cordoned off from people who don't need to be there, and nothing should be disturbed except as part of the investigation. Chain of custody is very important during this part of the investigation. It will make or break your case. If you have taken a hard drive from a suspect's computer and simply handed it off to someone, then how do you know that they didn't change it later, or how do you know that they didn't substitute the drive for another one? How do you know that they just didn't be careless and put it in their bag and it gets lost? With chain of custody, you can prevent all of those things. Here are some things to think about with chain of custody. First of all, document everything. When you take something from a crime scene, a hard drive, or an SD card, or even a whole computer, you should document it. You should record its serial number, its model number, its make, the time of day that you took it, the location you took it.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.