Site MapHelpFeedbackChapter Summary
Chapter Summary
(See related pages)

Evidence

  • Evidence must meet the three standards of being sufficient, competent, and relevant if it is to be used in legal proceedings.


  • There are four different types of evidence: Direct, Real, Documentary, and Demonstrative.


  • There are three rules regarding evidence: the Best evidence rule, the Exclusionary rule, and the Hearsay rule.


Collecting Evidence

  • Evidence must be properly collected, protected, and controlled to be of value during court or disciplinary activities.


  • When acquiring evidence, one must be deliberate to ensure evidence is not damaged and operations are not negatively impacted.


  • Evidence must be properly marked so that it can be readily identified as that particular piece of evidence gathered at the scene.


  • Evidence must be protected so that it is not tampered with, damaged, or compromised.


  • Evidence should be transported cautiously to ensure custody of the evidence is maintained and the evidence itself is not tampered with or damaged.


  • Evidence should be stored in properly controlled areas and conditions.


  • When conducting an investigation on computer components, one must be deliberate and cautious to ensure evidence is not damaged.


Chain of Custody

  • A chain of custody that accounts for all persons who handled or have access to the evidence must be maintained to prevent evidence tampering or damage.


Free Space and Slack Space

  • Information can be recorded and possibly hidden in various ways on a computer.Sometimes information will be hidden in either the free space or the slack space of the computer’s disk drive.


  • Free space is the space (sectors) on a storage medium that is available for the operating system to use.


  • Slack space is the unused space on a disk drive created when a file is smaller than the allocated unit of storage, such as a sector.


Message Digest and Hash

  • The use of a message digest or hashing algorithm is essential to ensure that information stored on a computer’s disk drives has not been changed.


  • A hashing algorithm applies mathematical operations to a data stream or file to calculate a number that is unique, based on the information contained in the data stream or file.


  • A message digest is the result of applying the hash function to data. It is also known as a hash value.


  • If the information in the data stream or file is changed, a different message digest will result, indicating the file has been tampered with.


Analysis

  • Forensic analysis of data stored on a hard drive can begin once the drive has been imaged and message digests of important files have been calculated and stored.


  • Analysis typically involves investigating the Recycle Bin, web browser and address bar history files, cookie files, temporary Internet file folders, suspect files, and free space and slack space.


  • Experience and knowledge are your most valuable tools available when performing computer forensic activities.







To learn more about the book this website supports, please visit its Information Center.
(c)2005 McGraw-Hill Higher Education
Any use is subject to the Terms of Use and Privacy Policy.
McGraw-Hill Higher Education is one of the many fine businesses of The McGraw-Hill Companies.


Security+ and BeyondOnline Learning Center

Home > Chapter 23 > Chapter Summary