Describing computer evidence
Addressing evidence handling issues
Identifying evidence
Collecting evidence
Maintaining the chain of custody
Ensuring evidence admissibility
Methods of preserving evidence state
In this chapter, you'll learn about computer evidence-what it is and what makes it different from regular evidence. You'll also learn how to identify, collect, handle, and present evidence in and out of court .
Simply put, evidence is something that provides proof. You'll need evidence to prove that someone attacked your system. Without evidence, you only have a hunch. With evidence, you might have a case. Good, solid evidence can answer several of the five Ws and an H of security violations: who, what, when, where, why, and how. You'll use the evidence you collect to further the discovery of the facts in an investigation. That same evidence might provide the proof necessary to result in a legal finding in your favor. Understanding computer evidence is the first step in successfully investigating a security violation.