8.6. Evidence Collection and Incident Response Procedures

Previous page
Table of content
Next page

Chapter 6 goes into some detail on the type of network- and/or host-related information to gather when investigating a DDoS attack. Other references cover the topic of evidence collection, chain of custody, investigation of computer crime, and digital forensics [CERd, NIoJa, NIoJb, oECFL, Uni, IAA, oJb, CIPS, oJa].

The important things to keep in mind when collecting information that may be used as evidence are:

  • Volatility of evidence. Evidence has a life cycle which dictates how long it lives, and therefore how quickly you must move to preserve it. Put another way, the order in which you collect your evidence should be arranged so as not to disturb other evidence and change attributes, such as file time stamps, or outright destroy it, for example, by overwriting disk space. See RFC 3227 for more information [BK01].

  • Chain of custody. Maintaining a record of who collected the information, when, and how, and then keeping track of all subsequent handoffs of the information to others is called the chain of custody. This includes integrity checks, such as cryptographically strong hash values (e.g., SHA1 or better), which provide a unique signature of the contents. (Even better is a cryptographic time stamp of the file, which not only proves the fingerprint of the file, but also the time at which that fingerprint was made.) If it cannot be proved in court that this chain was maintained, an argument can be made that the evidence may have been tampered with, was accidentally modified from booting the system, or is incomplete.

  • Records kept as a normal course of business. Logs and other records showing access and the like should be kept as a normal course of business in order to be admissible as evidence. You will be better off when these records are required for use in court if you have a standard practice that involves their collection.

See section V in the Department of Justice document "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" [CIPS] for more information about evidence in computer crime cases.


Previous page
Table of content
Next page
Internet Denial of Service. Attack and Defense Mechanisms
Internet Denial of Service: Attack and Defense Mechanisms
ISBN: 0131475738
EAN: 2147483647
Year: 2003
Pages: 126
Authors: Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Competency-Based Human Resource Management
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy