what is computer forensics

Definition:

The study of network traffic to search for truth in civil, criminal, and administrative matters to protect users and resources from exploitation, invasion of privacy, and any other crime fostered by the continual expansion of network connectivity.(Source: Kevin Mandia & Chris Prosise, Incident response,Osborne/McGraw-Hill, 2001. )

Network Forensics

In order to identify attacks, "network forensics" deals with the capture and inspection of packets passing through a selected node in the network. Packets can be inspected on the fly or stored on disk for later analysis. See forensically clean, slack space, write blocker, file wipe, IDS and security event management software.

NIST Phases

The National Institute of Standards and Technology "Guide to Integrating Forensic Techniques into Incident Responses" covers four phases, which are briefly summarized below. For the complete 121-page NIST publication, download draft SP 800-86 at http://csrc.nist.gov/publications/nistpubs.

1 - Collection: Identify, label, record and acquire data from possible sources, while preserving the integrity of the data.

2 - Examination: Use manual and automated methods to assess and extract data of particular interest, while preserving the integrity of the data.

3 - Analysis: Use legally justifiable methods and techniques to derive useful information.

4 - Reporting: Describe actions used, explain how tools and procedures were selected, determine what other actions need to be performed, including forensic examination of additional data sources, securing identified vulnerabilities and improving existing security controls. Recommend improvements to policies, guidelines, procedures, tools and other aspects of the forensic process.