‚ < ‚ Free Open Study ‚ > ‚ |
Computer forensics is a vital tool in incident response. It has the potential to provide conclusive evidence in an investigation and to assist in corroborating other evidence. It is, however, a discipline for the trained professional only. Well-meaning amateurs can cause irreparable damage to the evidence and should not be allowed to conduct an investigation without the proper training.
It also has the potential to be an enormous task. When computers had small (or even no) hard drives, it was feasible to conduct a sector-by-sector search. When computers were relatively uncommon, it was feasible to seize a company computer and search it. When an entire team has computers, and each of those computers has a very large hard drive, the search task can become overwhelming. If the incident is not particularly serious, if the range of suspects cannot be constrained to a manageable number, or if the amount of data cannot be reduced to a controllable amount, management should ask whether it is an effective use of resources (internal or external) to conduct an in-depth investigation on potentially terabytes of data. The fundamental limitation of forensics cannot be overstated. Computer forensics can, at best, identify that a specific computer might have been involved. At that point, the forensics investigator must then look for other sources of evidence to place the person at that computer at the time of the incident. The forensics examination can provide the incident response team with additional evidence. This evidence, even if inconclusive per se, can be valuable when interviewing potential suspects or when viewed in the context of a complete investigation including physical security logs, network logs, eye witnesses, and other factors. |
‚ < ‚ Free Open Study ‚ > ‚ |