Chapter 2 Computer Forensics: A Pocket Guide
Be prepared proactive forensics
• It is essential that there are developed, implemented and tested forensic techniques.
• More than having correct procedures but also training of staff, knowing the organization of IT
• The most effective deployment of a forensics team is as an aspect of the organization’s Computer
Security Incidence Response Team (CSIRT) AKA Computer Emergency Response Team
• The actual process of computer forensics is inherently a reactive approach to the identification of
misuse of systems, whether that is cyber or computerassisted crime.
• Constant training=important
• When to undertake a forensic investigation of a system—the nature of forensics, specifically the
time and resources required to investigate a system, routine investigations of systems is simply
• Forensics is used to identify what happened. There is some agreement on the general principles
of the process. There are seven key stages:
o Identification—the initial identification that something is wrong and requires forensic
o Preservation—to ensure data is acquired in a forensically sound manner with an
appropriate chain of custody being maintained.
o Collection—the use of approved software and hardware and appropriate legal author
where necessary in collecting the evidence.
o Analyses—understand the chronology of events and link together artefacts in order to
understand the complete picture.
o Presentation—document and present the findings in an appropriate manner.
o Decision—in legal situation this would be whether sufficient evidence exists to proceed
with a criminal case. Within an organizational environment, it could be the point at
which a decision is made to proceed with civil proceedings or an action is taken against
• The core underlying principle within computer forensics is preservation of data. Therefore,
during all stages of examination and analysis a forensic examiner will work on duplicates of the
original evidence rather than the original. • It is important to ensure an appropriate chain of custody throughout the forensic investigation,
from the initial capture of the hardware through the collection, examination, analysis and
presentation. At all stages, it should be clear who had been handling the data and when.
• Four principles by (ACPO):
o No action taken by law enforcement agencies or their agents should change data held on