‚ < ‚ Free Open Study ‚ > ‚ |
There are two major categories of principles in the conduct of computer forensics. Both are designed to protect the investigator , the evidence, and the rights of the accused. EthicsFirst, the investigator must have the authority to seize and search the computer. In corporate settings, this is normally granted by policy. The company acceptable-use policy should state that the company has the right to conduct a search on any or all company equipment, at any time, for any reason. (Note: Government agencies and contractors working for government agencies might have different requirements. IRT personnel should consult with their legal counsel prior to drafting policies.) Second, the search should have clearly defined goals."Fishing expeditions," in which a computer is searched for any evidence of any wrongdoing, have the potential to dramatically impact employee morale . Although the company probably has the legal right to randomly search company assets at any time, this will likely be perceived by employees as an unreasonable invasion of privacy.
Conduct of the ExaminationThere are basic rules to be followed in the conduct of any forensics examination. Although sometimes the specific situation might require an exception to these rules (some exceptions are covered in Chapter 11,"The Human Side of Incident Response"), following these rules will make any eventual legal proceeding much more likely to succeed. When computer forensics was first introduced, investigators found themselves defending their actions during the course of the examination. In the same way that the defense attempted (and succeeded) to cast doubt on the purity of the DNA evidence in the O.J. Simpson trial, an attorney might attempt to convince the court that the computer evidence has been tampered with or tainted by the investigation. The following rules are designed to make it more difficult to tamper with evidence:
Fortunately, there are checklists and guidelines that provide assistance in maintaining these rules. Some of the forensics software described later in this chapter is specifically designed, for example, to protect the original files from modification. |
‚ < ‚ Free Open Study ‚ > ‚ |