|
The field of
computer forensics is an emerging and dynamically changing one within
which the appliance of human skills, high technology tools and
methodology are combined to address and provide forensics services.
Digital Evidence is
becoming increasing important as the number of computer investigations
grow due to the growth in electronic transactions/commerce and the
growth of the Internet which has resulted in new challenges to
organisations to address computer systems abuse.
Computer systems
abuse fits loosely into two categories which are expanded below:
1.
When the
computer is used to conduct unauthorised or non-business activity the
computer is investigated as being an enabler to the offence. This
includes porn, fraud and intellectual property theft. In this instance
computer forensics is used to conduct investigations on the computer to
find and timeline the unauthorised or non-business activity.
2.
When the
computer is the target, the computer system is treated as the victim of
an offence. This is when a “hack” occurs and an organisation needs to
discover how this attack occurred and what its limitations were with
respect to the spread of the attack throughout its network and
organisation. This type of attack is often referred to as incident
response. From an incident response perspective once an attacker has had
control of a system, it's virtually impossible to trust the system
again.
Computer systems
forensics needs to be also seen within the context of the environment,
in particular to the laws of the land. Legal and regulatory environments
are constantly changing and indeed in many countries have yet to be
developed. This topic is expanded upon in the chapter 3 – legal
considerations.
This Forensics
Methodology outlines procedures and techniques for organisations to
follow in the event of any of the above two categories occurring and is
aimed at Windows and UNIX type systems.
Heiser and Kruse
accurately define computer forensics [Computer Forensics – Incident
Response Essentials - ISBN 0-201-70719-5] as “...involving the
preservation, identification, extraction, documentation, and
interpretation of computer media for evidentiary or root cause
analysis”. This definition is used throughout the course of this
document.
When a command and
screen related output is referenced, it is displayed in the below font:
command:
output
When a reference to
a tool, program or utility is initially made, it will have and number
displayed in superscript next to it like:
String3
To view information
on this tool, with respect to where to obtain from and how to install
refer to “Appendix A – Forensics and Incident Response Testing Toolkit”
with reference to the mentioned superscript number.
|