Describing computer evidence
Addressing evidence handling issues
Maintaining the chain of custody
Ensuring evidence admissibility
Methods of preserving evidence state
In this chapter, you'll learn about computer evidence-what it is and what makes it different from regular evidence. You'll also learn how to identify, collect, handle, and present evidence in and out of court .
Simply put, evidence is something that provides proof. You'll need evidence to prove that someone attacked your system. Without evidence, you only have a hunch. With evidence, you might have a case. Good, solid evidence can answer several of the five Ws and an H of security violations: who, what, when, where, why, and how. You'll use the evidence you collect to further the discovery of the facts in an investigation. That same evidence might provide the proof necessary to result in a legal finding in your favor. Understanding computer evidence is the first step in successfully investigating a security violation.