This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
Kevin Mandia, president and CEO of Mandiant, which provides forensics and other infosecurity services, says chain of custody is maintained by the following steps:
- Keeping evidence within an investigator's possession or sight at all times
- Documenting the collection of evidence
- Documenting the movement of evidence from one investigator's custody to another's
- Securing the evidence appropriately so it cannot be tampered with.
Forensics investigators typically make copies of a compromised system or other evidence and perform analysis on one of the copies. Jenkins usually makes three copies and puts the original system in an evidence bag for safe storage.
Courts will also accept evidence that is produced in the normal course of business, Spernow says. For example, if a firewall administrator routinely examines logs on a daily basis and sees evidence of a hack, those logs will be considered a normal business record.
While some organizations have in-house resources to conduct forensics examinations, many need to call
But there are no hard-and-fast rules for evaluating forensic experts. Certifications can be one means of assessing skill--there are vendor and vendor-neutral certifications available in the field--but hardly the only measure. In fact, Mandia says in his work, reputation and experience weigh more heavily than certifications.
This was first published in September 2007