Chapter 3
Computer Evidence
- Describing computer evidence
- Addressing evidence handling issues
- Identifying evidence
- Collecting evidence
- Maintaining the chain of custody
- Ensuring evidence admissibility
- Methods for preserving evidence state
In this chapter, you learn about computer evidence—what it is and how it differs from conventional evidence. You’ll also learn how to identify, collect, handle, and present computer evidence in and out of court.
Simply put, evidence is something that provides proof. You need evidence to prove that someone attacked your system. Without evidence, you only have a hunch. With evidence, you might have a case. Good, solid evidence answers several of the five Ws and the H for security violations: who, what, when, ...
