Page 1359 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1359

When you initiate a computer security investigation, you should first
               assemble a team of competent analysts to assist with the investigation.

               This team should operate under the organization’s existing incident
               response policy and be given a charter that clearly outlines the scope
               of the investigation; the authority, roles, and responsibilities of the
               investigators; and any rules of engagement that they must follow while
               conducting the investigation. These rules of engagement define and
               guide the actions that investigators are authorized to take at different
               phases of the investigation, such as calling in law enforcement,

               interrogating suspects, collecting evidence, and disrupting system
               access.


               Gathering Evidence

               It is common to confiscate equipment, software, or data to perform a
               proper investigation. The manner in which the evidence is confiscated
               is important. The confiscation of evidence must be carried out in a
               proper fashion. There are three basic alternatives.


               First, the person who owns the evidence could voluntarily surrender
               it. This method is generally appropriate only when the attacker is not
               the owner. Few guilty parties willingly surrender evidence they know
               will incriminate them. Less experienced attackers may believe they
               have successfully covered their tracks and voluntarily surrender
               important evidence. A good forensic investigator can extract much
               “covered-up” information from a computer. In most cases, asking for

               evidence from a suspected attacker just alerts the suspect that you are
               close to taking legal action.



                          In the case of an internal investigation, you will gather the


                  vast majority of your information through voluntary surrender.
                  Most likely, you’re conducting the investigation under the auspices
                  of a senior member of management who will authorize you to
                  access any organizational resources necessary to complete your
                  investigation.



               Second, you could get a court to issue a subpoena, or court order, that
   1354   1355   1356   1357   1358   1359   1360   1361   1362   1363   1364