Chapter 11. Forensic Detection

The term forensics may cause some people to think of DNA or the latest episode of Law and Order. Others may have thoughts of tracking a hacker while in the midst of a computer break-in. Still others may see it as a means of conducting a computer investigation after the fact to gather electronic evidence that can be used by the organization to determine if some type of incident or cybercrime has occurred. Forensics can be defined as any of these activities. This chapter looks at the aspects of forensics that are also known as cyber-forensics. A forensic investigation must follow a strict set of rules that govern how the evidence is obtained, collected, stored, and examined. While the organization performing a forensic investigation might not know at the beginning of an investigation how or what will be found, the process must be followed carefully or any evidence obtained may become tainted and be inadmissible in a court of law.

Government, military, and law enforcement have practiced forensics for many years, but it's a much younger science for private industry. Its growth can be tied to the increasingly important role that computers play in the workplace and the type of information they maintain and access they enjoy.

This growth means computer security specialists must have a greater understanding of computer forensics and the concept of chain of custody. Even though many forensic investigations and computer forensic work will never be tested in court ...

Get Build Your Own Security Lab: A Field Guide for Network Testing now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.