chapter  16
- Collecting and Analyzing Evidence of a Computer Crime
Pages 18

In the last chapter, we introduced a high level set of tasks to perform as part of the end-to-end process of forensic digital analysis. Those steps were:

• Collecting evidence • Analysis of individual events • Preliminary correlation • Event normalizing • Event deconfliction • Second level correlation (consider both normalized and non-nor-

malized events) • Timeline analysis • Chain of evidence construction • Corroboration (consider only nonnormalized events)

If we look at the process in more detail, however, we find that really is a lot more to the process. In support of the above, we need to:

• Identify and isolate the victim • Identify of the vector by which the victim was attacked • Backtrace to the attacker • Identify and isolate intermediate devices along the path between

attacker and victim • Identify and isolate the attacker • Collect evidence from all involved devices • Correlate evidence along the path from attacker to victim, including

intermediate devices • Create an event timeline • Corroborate each and every element of evidence in the event timeline • Consider exculpatory evidence, possible alternative explanations, etc.