Chapter 3
Computer Evidence
- Describing computer evidence
- Addressing evidence handling issues
- Identifying evidence
- Collecting evidence
- Maintaining the chain of custody
- Ensuring evidence admissibility
- Methods for preserving evidence state
In this chapter, you learn about computer evidence—what it is and how it differs from conventional evidence. You’ll also learn how to identify, collect, handle, and present computer evidence in and out of court.
Simply put, evidence is something that provides proof. You need evidence to prove that someone attacked your system. Without evidence, you only have a hunch. With evidence, you might have a case. Good, solid evidence answers several of the five Ws and the H for security violations: who, what, when, where, why, and how. You’ll use the evidence you collect to further the discovery of the facts in an investigation. That same evidence might provide the proof necessary to result in a legal finding in your favor. Understanding computer evidence is the first step toward successfully investigating a security violation.