Information Technology Reference
In-Depth Information
meant in digital forensics by “investigative process.” Such a process comprises the
sequence of activities which should be performed by the forensic examiner to ensure
compliance with juridical requirements now common to all countries.
For the purposes of this document, the investigative process is subdivided into six
phases as illustrated in
Fig. 1
.
Notification
. This first report occurs when an attack is detected by an automatic
device, by internal personnel, or through external input (for example by a system
administrator in another company, or by another business unit in the same company).
The action taken is usually to create or activate a response team, whose first task is
to confirm that an attack has occurred.
Preservation
. This is a critical phase in incident response and the first bona fide
digital forensic action. The main objective here is to make sure that the scene of
F
IG
. 1. The investigative process.
