427 Botnet fm qxd

Syngress).
Network forensics
involves the gathering of evidence off the network,
of course, whereas 
host forensics
refers to gathering evidence from a drive or
drive image or from other media.
Forensic aims can include identification, preservation, analysis, and presen-
tation of evidence, whether or not in court. However, digital investigations
that are or might be presented in a court of law must meet the applicable
standards of admissible evidence. Admissibility is obviously a concept that
varies according to jurisdiction but is founded on relevancy and reliability.
We will be focusing on the use of forensic techniques for collecting intel-
ligence about botnets rather than about their use to support prosecution or
civil lawsuits.
Tools & Traps…
Understanding Digital Forensics
A detailed consideration of digital forensics at the judiciary level is way
beyond the scope of this chapter. Here, though, just to give you the
flavor, is a summary of some major issues:
■
You must not jeopardize the integrity of the evidence, so
you must be scrupulously careful to avoid all the usual risks
of handling data in the 21st century, such as exposure to
extraneous malicious code, (electro)mechanical damage, and
accidental corruption or deletion. Additionally, you must be
aware of the risk of damage to the evidence from
embedded malicious code (booby traps), less obvious pitfalls
such as accidental updating or patching of a target system
or disk, or prematurely terminating processes on a machine
of which a snapshot has not yet been taken.
■
Establish a chain of custody to minimize the possibility of
tampering with evidence by accounting for everyone who
handles (or has possible access to) it. 
■
Work with data copies or a disk image rather than original
data to avoid making any changes to it that might affect its
legal validity.

Download 6,98 Mb.

Do'stlaringiz bilan baham: