Examination of the Evidence
The acquisition of the media, although tedious, is generally clear-cut. A trained investigator, following a set of rules, can be reasonably certain that the data was acquired properly and is not tainted. Examining the evidence to find proof of wrong-doing, however, can be anything but straightforward.
Planning the Search
The most important step in the examination is to plan what items to search for. A poorly designed search will result in either no results at all or so many results that they are unusable. A well-designed search consists of unique items that are unlikely to occur outside the scope of the investigation but that are also likely to be present in any incriminating evidence. This might be a simple task, ...
Get Incident Response: A Strategic Guide to Handling System and Network Security Breaches now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
