Information Technology Reference
In-Depth Information
n
Technical
Nonrepudiation requirements imply the need for mechanisms to sup-
port unique identification for users and possible servers, applications, and
processes.
Discrete event tracking/reconstruction; host-based and network-based
Aggregate event tracking/reconstruction; cradle-to-grave tracking of sessions or
individual activity, including systems visited, processes and applications executed,
threads initiated, files accessed, transmissions initiated, hops to other systems, etc.
8.12.2.4  Policy
Organizational policy directly specifies either the need for digital forensics or the
need for a CSIRT that may support digital forensic activities.
8.12.3
Policy
Digital forensics guidelines provide direction on forensics procedures, investigation
guidelines, and technical aspects of forensics, including how to approach a particu-
lar system and recommendations on forensics tools; example guidelines include:
n
n
n
U.S. Secret Service Best Practices for Seizing Electronic Evidence
FBI Search and Seizure Manual
NIST SP 800-72: PDA Forensics Guide
8.12.4
Practice
Figure 8.11 summarizes the digital forensics workflow. A trigger event prompts
contacting CSIRT, who goes through discovery, fact gathering, analysis, reporting,
and follow-up with organizational feedback from root cause analysis and determin-
ing lessons learned.
8.12.5
Best Practices
Digital forensics best practices include:
n
n
U.S. Secret Service Best Practices for Seizing Electronic Evidence
International Organization on Computer Evidence (IOCE) Guidelines for
Best Practice in the Forensic Examination of Digital Technology
U.S. Department of Justice Forensic Examination of Digital Evidence: A Guide
for Law Enforcement
n
Search WWH ::




Custom Search