Cyber Crime Investigations

Chapter 5: Incident Response Live Forensics and Investigations

Introduction

To pull or not to pull the plug, that is the question. Today, cyber crime investigators are faced with the grueling task of deciding whether shutting down a computer system is the most efficient and effective method to gather potential electronic evidence. Traditionally, computer forensics experts agreed that shutting the computer system down in order to preserve evidence and eliminate the potential changing of information is best practice prior to examination. I remember having the phrases shut it down, and don t change anything beaten into my brain during the numerous trainings I ve attended throughout the years. However, one of the fundamental misconceptions with this philosophy is that computer forensics is the same as physical forensics. I would argue that they are not the same, given that computer forensics technology changes faster than traditional forensics disciplines like ballistics, serology, and fingerprint analysis. The second misconception is that we always collect everything at a physical crime scene. In a physical forensics environment, we commonly photograph the physical crime scene and take reasonable precautions to ensure the evidence is not disturbed. The truth is, in many cases, we only collect samples from a physical crime scene.

Nevertheless, we have accepted this methodology as best practice, and have backed ourselves into a litigation corner. The evolution of technology has put us face to face with the harsh reality that it is sometimes more advantageous to perform Live analysis than a Postmortem one. The problem is that live analysis often changes evidence by writing...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: DNA Synthesizers
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.