Software: Operating Systems, Network Traffi c, and Applications 䡲 163
network security devices. In these cases, investigators should identify other likely data
sources and examine them for evidence.
Insuffi cient or Invalidated Data on Primary Sources—Investigators might need to examine
secondary data sources if primary data sources do not contain suffi cient information or
cyber forensic investigators need to validate the data. After reviewing one or more primary
data sources, cyber forensic investigators should query the appropriate secondary data sources
based on the pertinent data from the primary data sources. For example, if IDS records
indicate an attack against the system at IP address 216.239.51.100 with an apparent origin
of IP addres ...