Slashdot Mirror
Computer Forensics
How do you get the evidence off of a computer, ensuring that it's capable of withstanding a defense lawyer's scrutiny? Maybe you would just unplug the machine and put it in storage awaiting a detective's arrival, but is that what we should do? What if the evidence is on a production server that can't be simply unplugged and put into storage? What if that evidence is slowly being erased as files are created and deleted on that server? How do you help build the case against a computer criminal? Hopefully you'll never have to worry about computer crime in your home or workplace but if you do have to worry, Computer Forensics will be an asset to your part of the investigation.
Who is this book for? Computer crime isn't simple -- it can range from damage done by simple script kiddies to corporate espionage by disgruntled employees, as well as sophisticated, multi-homed attacks by skilled crackers. Computer Forensics tries hard to cover a lot of these areas. The book includes a chapter dealing with laptop hardware, as well as ones on data hiding and encryption, and further chapters on putting evidence together and dealing with law enforcement. While these topics may be of interest to the Slashdot crowd, Computer Forensics focuses more on broad topics of interest to computer detectives faced with getting up to speed quickly with computer crimes and computer evidence gathering.Several chapters are downright boring for anyone who has a modicum of computer experience. Finding out where e-mail is stored on Windows and Linux machines, or understanding what a root-kit is and what it does will be pedestrian for many readers. Nestled away between the necessary-but-pedestrian topics, though, are some very useful tools. The authors use netcat with tar to copy files between machines without disturbing the modification times (something I would never have thought to use). Novice users will find a wealth of tools and examples in these chapters. The tools used in the book tend toward open source and free tools, and rely heavily on Linux as the Swiss Army knife for handling file systems and files without disturbing them. Any reader should be able to put together a decent set of tools from this book.
Making it all workPutting together a good forensic kit is all fine and good, but making sure your evidence holds up to the scrutiny of some high-powered, high-priced defense lawyer is much more important. The last chapter of Computer Forensics gives a brief introduction to the criminal justice system. The authors touch on notifying law enforcement agencies, search warrants, probable cause, interviews, subpoenas, dollar loss guidelines, and testifying as an expert witness, among other legal topics. The appendices of the book have checklists, flowcharts, and an incident report form to aid investigation and evidence gathering. These are invaluable resources for the system administrator of any public machine who needs to deal with law enforcement.
Conclusion Thinking about dealing with courts and law enforcement may not be at the forefront of any administrator's job, but it is a reality any administrator needs to think of and be aware of. Computer Forensics will at least make administrators more aware of what their legal options are, and of the form in which gathered forensic data needs to be presented as evidence. Computer detectives will find a good, if not rudimentary example of what to look for when investigating a computer crime scene. This may not be the most comprehensive book on the subject of computer crime, but it will point you in the right direction to help investigate it should it ever happen to you.You can purchase Computer Forensics from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
when a crime has been committed on a computer?
Must be old mainframes then.
CC.
TaijiQuan (Huang, 5 loosenings)
Whenever you do work like this on computers, it's important to know that the computer is ultimately the victim here. Don't be too rough with it in trying to get information. It's important to get information back, but it's also very important to maintain the computer's well-being. Always ask before taking a look at the computer's hard drives. If the computer refuses, back off and try again another day. After being so traumatized, many computers will not feel comfortable letting you in right away. In some cases, gender may be an issue, so always use female-to-female or male-to-male data cables when attempting to access the computer's internal ports, as recently attacked computers may have more hostility toward opposite-gender pairings in interrogations.
Please, always make the computer your first priority, and be mindful that you do not damage it further in your rush to make an arrest.
and if i you can find them. Call the A-team.
Wouldn't that depend on your role in the crime, and your lawyer's advice?
See what I've been reading.
Interesting and educating?
;)
:P
Definitely!
Without trying to sound.. weird.. I wish it'd happen again
It was definitely a few days with something worthwhile and different to do, even if it didn't mean anything in the end.
The adrenaline rush I got when standing three meters away from the baddie while talking to the police officer on the phone was intense.
I don't think I've ever appreciated shaded window-glass as much as I did at the time
Pertussis. Poor chap. Probably shouldn't be in the cockpit.
Many mods will moderate funny things as one of the catagories starting with 'I' because funny doesn't give any karma. If something is moderated as funny and is later moderated back down again, the poster could actually loose karma because of it so many mods think it is unfair.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
A mercury switch and an emp device Or perhaps an encrypted file system. Just be sure to remember the 1024 bit number.