Introduction to Digital Forensics

Determining what happened during a security incident is important for several reasons. First, you need to determine what really happened and the extent of any damage. Any time you suspect that a security policy has been violated, you must determine the scope of the violation. A series of failed logon attempts is very different from a critical database being downloaded by an attacker and then destroyed. You discover the extent of an attack and its damage by examining markers of activity, often referred to as evidence, related to the suspected incident. Collecting evidence is critical to understanding what happened and how much damage may have occurred.

Second, you should attempt to determine who is responsible ...

Get Fundamentals of Information Systems Security, 4th Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.