14. Computer and Network Forensics

This chapter discusses what constitutes digital evidence, the collection and analysis of digital evidence, the chain of custody, the writing of the report, and the possible appearance in court as an expert witness. There is an in-depth discussion of the digital evidence acquisition rule of thumb and the candidates for evidence extraction. On preserving of evidence, extra care must be taken in preserving digital evidence since digital evidence is very fluid, in that it can disappear or change so fast. The chapter discusses the various techniques to preserve evidence and what needs to be done if evidence is to be moved. Emphasis is given on the importance of careful analysis of digital evidence noting that this process is the most difficult and most opinionated. It is also the most important, most time-consuming, and painstakingly slow and should be thorough so that it can support or reject a fact based on identified patterns of activities, file signature anomalies, unusual behaviors, file transfers, and several other trends in the evidence. Final issues discussed in this chapter include the process of report writing and presentation and also the ethical implications and responsibilities of both the investigator and the lawyer.