Notes:
ACQUISITION:
Track or Observe a Live Intruder?
Assess Extent of Live Intrusion?
Preserve “Evidence” for Court?
Close the Holes and Evict the Unwanted Guest?
Support for Sheriff, State Police or FBI Arrest?
Support for Court Ordered Subpoena?
IDENTIFICATION:
Physical Context: Exhibit A seagate baracutta 4GB HD
Logical Context: identified as /dev/hda1 mounted as / file:/etc/hosts.equiv
Presentation/Use Context: /etc/hosts.equiv is used to control access to the system
Opinion to support relevance of findings: a “+” was found appended to the end of this file, essentially disabling access control. File modification time was 3:24am on Monday 09/25/2000.
Handling and labeling of objects submitted for forensic analysis is key.
Following a documented procedure is key.
EVALUATION:
This is what lawyers (or those concerned with the case) do. Basically, determine relevance.
Presentation of findings is key in this phase.
Findings submitted for evaluation as evidence will not only be evaluated for validity but for “chain of custody” problems.
PRESENTATION:
Some findings will not be evaluated to be worthy of presentation as evidence.
Few findings will need to withstand rigorous examination by another expert witness.
The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.
The Chain of Custody may be challenged.