Forensic Computing And Electronic Evidence Information Technology Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In general, the use of computers for illegal activities is an increasingly problem as virtually every commercial transaction occurs in the digital world. In addition, people spend a significant part of their lives at the workplace so that chances are high that any sort of misuse will occur. Internal and external threats to an organization are becoming prevalent. In order to manage the collection and handling of digital evidence, allowing it to be admissible in court, an organization needs to concentrate efforts in constituting mechanisms to effectively handle potential evidence for criminal investigations.

In order to address that issue, I initially discuss how computers can be misused at the workplace, identify trends in the security incidents arena, and provide a quick view on the field of digital forensics science and cyber forensics. Later, I move to the context of the problem addressing issues of forensic readiness, admissibility of digital evidence, discovery, and practices for incident response. Finally, I convey a proposal aiming at proactively addressing issues of collection and admissibility of digital evidence.

The background

Misuse of computers at the workplace

Computers can be misused at the workplace in a variety of different ways. From accessing inappropriate Internet sites to copying copyrighted material, such as music, video or software, employees can make offenses against the employer corporate policies. In addition, non-work related Internet activity, such as visiting sport sites, bidding online, trading stocks, shopping online, and collecting and sending jokes to co-workers may also infringe Information Security or Information Technology (IT) resources policies.

It is known that one of the most common ways of computer misuse in the workplace is the utilization of corporate e-mail and the Internet for private use. Most companies use Internet as a powerful business tool, but sometimes the misuse of that asset could turn out to be very expensive as it consumes IT resources and affects negatively employee productivity, in addition to compromise security. Some businesses accept the personal use of IT resources at the workplace, but there is a faulty line that divides what is right and wrong in terms of personal use.

Other more serious offenses may include access to unauthorized or confidential material, cyberstalking, identify and information theft, hacking, embezzlement, child pornography etc. Internal computers can also be used to commit fraud against the employer or its customers or suppliers. In some cases involving an employee accessing certain types of illegal websites, a company may be subject to criminal investigation. [1] Computer related evidence can also be used to investigate cases of bribes. [2] 

Companies from different sizes have some sort of security policy in place that helps shaping the adequate use of information technology (IT) assets or identifying misbehaviour. Those security policies may have been implemented in line with security standards, such as ISO/IEC 27001:2005 [3] , ISO/IEC 27002:2005 [4] and the Internet Security Forum (ISF) [5] , but initiatives in this area are normally linked to two important and quite different streams. First, financial obligations impose IT systems to have tight checks, such as access control and authorization procedures, segregation of duties, contingency plans etc. Second, IT departments establish security mechanisms to protect internal computers from external threats, such as viruses, network attacks, and phishing among others cyber threats. Such tasks are mostly performed by distinct teams, with different skills in the IT and business areas.

Failures to protect the internal network can put companies in situations where information systems can be compromised, private or confidential information leaked, or even computers being used by criminal networks via botnets [6] . In cases like this, companies may find its computer systems confiscated for inspection as part of criminal investigation, in addition to being subject to damages in reputation.

A recent survey from Ernst & Young [7] shows an increase in the perception of internal threats related to information security. About 75% of respondents revealed that they are concerned with possible reprisal from employees recently separated from their organization. That may have had some impact originated from the recent global financial crisis, but it is also due to the increasing level of automation and value of digital assets present in almost all organizations. Another interesting finding of this survey is that the primary challenge to effectively delivering information security was the lack of appropriate resources. [8] 

The computer misuse act (UK)

As a first important UK legislation designed to address computer crime, the Computer Misuse Act (CMA) [9] became law in 1990. It turned, for example, hacking and viruses dissemination criminal offenses. The Act identifies three computer misuse offences:

Section 1 - Unauthorised access to computer material (a program or data).

Section 2 - Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime.

Section 3 - Unauthorised modification of computer material.

A person is guilty of an offence under section 1 if:

He causes a computer to perform any function with intent to secure access to any program or data held in any computer

The access he intends to secure is unauthorised; and

He knows at the time when he causes the computer to perform the function.

The Section 2 deals with unauthorised access to computer systems with the specific intention of committing, or facilitating the commission, of a serious crime. A person is guilty of an offence under this section if he commits an offence under Section 1 with intent to commit or facilitate the commission of a further, sufficiently serious, offence.

The Section 3 covers unauthorized modification of computerised information, and thus includes viruses and trojans [10] . A person is guilty of an offence under this section if:

He does any act which causes an unauthorised modification of the contents of any computer; and

At the time when he does the act he has the requisite intent and the requisite knowledge.

The requisite intent is an aim to cause a modification of the contents of the computer and by so doing impair its operation or hinder access to it, or any data stored on it. The requisite knowledge is the awareness that any modification one intends to cause is unauthorised.

The CMA is responsible for a variety of convictions, from nanny agencies (R v Susan Holmes - 2008) to ex-employees (R v Ross Pearlstone - one of the first). [11] One recent arrest under the CMA involved two suspected computer hackers that have been caught in Manchester in a major inquiry into a global internet fraud designed to steal personal details. The investigation focused on ZBot trojan, a malicious software or malware [12] that records online bank account details, passwords and credit card numbers to ultimately steal cash with that information. It also steals password of social network sites. [13] 

Trends in security incidents

Large organizations are the ones more likely to have adequate Information Security Policies in place. The utilization of Information Security practices in general requires the availability of skilled and well-trained people, risk assessment procedures and well managed incident response procedures. To some extent, the implementation of such practices is available in most businesses. However, the last PWC Global Economic Crime Survey [14] shows that large organizations are the ones to report more frauds. The survey confirms that the larger the organization the bigger the relative number of reported incidents. It also showed an interesting trend in detections methods, which is pertinent to our analysis. For example, internal audit went down to 17% of cases in 2009 against 26% in 2005. In addition, fraud risk management rose to 14% in 2009 from 3% in 2005. Newly risk management approaches try to be more proactive as opposed to traditional audit procedures. That trend may also demonstrate that manual procedures (mostly audits) are being replaced by more automation (fraud management systems).

Digital forensics science and cyber forensics

Digital forensic science can be defined as:

"The use of scientifically derived and proven methods toward the preservation, collection, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations". [15] 

Carrier and Spafford (2003) [16] argue that digital evidence concerns with data in digital format that establishes a crime has been committed, thus it provides a link between a crime and its victim or perpetrator. A digital crime scene is therefore the electronic environment where digital evidence potentially exists. Evidences, which are made of bits and bytes, are part of the digital forensic science (DFS) realm, which also includes visual and audio evidences. As a subset of the DFS, the cyber forensics field focus on the investigation of evidences via scientific examination and analysis of digital data so that it can be used as admissible and verifiable evidence in a court law. Evidences in this field includes log files, equipment primary and volatile memory, storage media, software (code) and virtually any document in digital format, such as email, sms messages etc.

Evidence in general must be admissible, authentic, complete, reliable and believable, therefore requirements for digital evidence are not different in essence. Fundamentally, the process of managing the lifecycle of digital evidence is the same as the physical evidence. It includes the following phases: preparation, response, collection, analysis, presentation, incident closure. [17] However, digital evidence is highly volatile and once it has been contaminated, it cannot come back to its original state. [18] The chain of custody is an essential condition for digital evidence admissibility and preservation.

The context

Threats to evidence collection

Evidence may exist in logs, computer memory, hard disks, backup tapes, software and so on. IT organizations are normally the ones supporting the usage of IT assets that generates most of the digital evidence as a result of doing business. However, IT organizations provide services to their companies mostly using multivendor strategies. In addition, users are mobile and spread along several geographic areas; workstation and servers are hardly standardized; and vendors use different methods for proving services and are bound to complex service level agreements (SLAs) that penalize them when services are not available or running with poor performance. The focus is always on running services to the lowest possible cost with adequate performance and availability. Whenever a problem may exist damaging the availability of a system, analysts will try to recover the full capacity of that service. It may imply that systems will be, in a rush, restarted or have its logs and other files deleted to improve processing capacity. In addition, although storing costs have fallen considerably during the last years, mainly on the end user side, data-center storage has been still expensive. Therefore, the pressures coming from costs reduction programs can, as a result, compromise running an adequate storage strategy. Moreover, this have implications that will hinder storing data longer, and reduce backup/restore procedures.

Forensic readiness

In the context of enterprise security, forensic readiness may be defined as "the ability of an organization to maximize its potential to use digital evidence whilst minimising the costs of an investigation." [19] An adequate management of digital evidence lifecycle may help an organization to mitigate the risk of doing business. It can support a legal dispute or a claim of intellectual property rights. It can also support internal disciplinary actions or even just show that due care has taken place in a particular process. [20] 

An initiative, which aims at supporting a forensic readiness program, would include: [21] 

Maximising an environment's ability to collect credible digital evidence;

Minimising the cost of forensics during an incident response.

In a general perspective, the utilization of enterprise information security policies will facilitate forensic readiness initiatives. However, in any security incident there will be mostly focus on containment and recovery due to the short-term business critical issues. [22] 

In order to help organizations implement a practical forensics readiness initiative, Rowlingson (2004) suggests a 10-step approach, as follow: [23] 

Define the business scenarios that require digital evidence.

Identify available sources of different types of potential evidence.

Determine the evidence collection requirement.

Establish a capacity for securely gathering legally admissible evidence to the requirement.

Establish a policy for secure storage handling and potential evidence.

Ensure monitoring is target to detect and deter major incidents.

Specify circumstances when escalation to a full formal investigation should be launched.

Train staff in incident awareness, so that all those involved understand their role in the digital evidence process and the legal sensitivities of evidence

Document an evidence-based case describing the incident and its impact

Ensure legal review to facilitate action in response to the incident.

Rowlingson also highlights two types of evidences: background evidence and foreground evidence. While the first is collected and stored via normal business reasons, the second is gathered to detect crime, and more frequently done via monitoring. However, monitoring typically raises privacy issues consequently requiring alignment to local laws. The monitoring process may help identifying data correlation between different events, thus increasing the potential of digital evidence based investigations.

Admissibility of digital evidence

Digital evidence can be defined as "any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi" [24] . Digital evidence is useful not only to address cyber crimes, but also in an extensive range of criminal investigations, such as homicides, child abuse, sex offenses, drug dealing, harassment, and so on.

Dicarlo (2001) argues that the basic questions about admissibility of evidences are relevance, materiality, and competence. When evidence is considered relevant, material, and competent, and is not blocked by an exclusionary rule, hearsay for example, it is admissible. Evidence is relevant when it has any tendency to make the fact that it is offered to prove or disprove within certain probability. Evidence is material if it is offered to prove a fact that is at issue in the case. Evidence is then competent if the proof that is being offered meets certain traditional requirements of reliability. [25] 

Daubert [26] has posed a threshold test to validate an evidence competency as a class of evidence. [27] Digital forensic evidence proposed for admission in courts must meet two basic conditions; it must be relevant, and derived by scientifically sound method. The digital forensics field is highly technical and grounded on science, which in turn bring some challenges to forensics professionals. Initially, it requires specific skills to deal with as it can be challenging to handle. For example, pieces of bytes can be put together to recover a deleted email that would provide key information to a case. Nevertheless, it would require an exhausting work to collect, handle and find the significant data. A similar situation occurs when decoding information carried by wire or wireless networks. Additionally, the knowledge of the digital evidence environment and how it can be produced is essential for any investigation.

In Loraine [28] , Judge Grimm (2007) remarkably considered the Federal Rules of Evidence regarding its admissibility and authentication. He confirmed that the way evidence is gathered, processed and produced have a significant impact on its admissibility. According to the court, evidence must be:



If hearsay, allowable under the hearsay exceptions;

Original, duplicate or supported by admissible secondary evidence;

The probative value of such evidence cannot be outweighed by any unfair prejudice or other factors.

Another important issue is that digital evidence, to some extent, is easily manipulated. It can purposely suffer modification from offenders or be accidently altered during the collection phase without obvious signs of distortion. [29] However, differently from physical evidences, it offers some particular features: [30] 

It can be duplicated. In fact, this is a common practice in investigations and aims at diminishing the risk of damages to the original.

It is traceable. Appropriate tools can be used to determine if digital evidence has been modified or tampered when compared to the original copy.

It is difficult to destroy. For example, deleted data can be recovered even if hard disk is damaged.

It may contain metadata (data about data). For example, a deleted file can show when it was deleted and last modified.

Electronic data discovery

Electronic Data Discovery [31] is "any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case." [32] 

The 2006 amendments in the US Federal Rules of Civil Procedure (FRCP) [33] were driven by the increasingly use of the electronic form as evidence in litigation. The FRCP refers to electronic data discoverable as "Electronic Stored Information" (ESI). It constituted a milestone in the field, which is requiring organizations to be better prepared to store and manage business records. In addition, it established the "legal hold", which means that organizations are under the duty to preserve information if they reasonable anticipate that a lawsuit may commence. [34] 

Normally, following a court order, an electronic discovery procedure can be carried out offline or online, on a particular computer or in a network, for the purpose of obtaining critical evidence. Electronic data is clearly easier to be searched when compared to paper documents. In addition, data can be perpetuated if properly stored, or even recovered if once deleted.

If an entity becomes involved in a lawsuit, it will probably be requested to provide information that is in digital form. It is essential to be able to identify where and how the information can be retrieved. In preparation for electronic discovery, an enterprise will likely have to face the following issues: [35] 

Changes in business process to identify, collect and manage business records and knowledge assets;

Implementation of new systems, technology or consulting to manage the lifecycle of the electronic discovery;

Need to instruct and inform employees about their responsibilities regarding the need to preserve information and make it discoverable.

In a event that an organization cannot locate or retrieve discoverable information, it may be subject to penalties or even have the case turning to the opposite side. [36] 

Discoverable electronic information must be produced regardless of the device it is stored, its format, its location or type. [37] If the burden or cost to produce is not reasonable, then it does not need to be produced. However, courts are entitled to order the discovery in situations where a "good cause" would exist. [38] 

Chain of custody is a fundamental requirement of ESI. Electronic discover processes should demonstrated the integrity of documents from storage to retrieval. Without historical records, evidence can be held inadmissible. Metadata per se is contestable as digital evidence; however, it can support the integrity and traceability of evidences.

The FRCP also provide that one side may be required to grant the other access to a specific computer system as part of a discovery request, including technical support for that. [39] The whole aspect of maintaining an appropriate environment to locate, secure, and search discoverable information, increase the need to maintain IT tools that better support ESI processes. Although IT departments within organizations are the ones on duty to guarantee the technical means to preserve and recover ESI, electronic discovery as such is an evolving field that requires more than technology. Moreover, it may rise legal, jurisdictional, security and personal privacy issues, which still need to better assessed.

Practices for incident response

Every incident is unique and can incorporate many different areas of the affected organization. A right response to incidents requires an appropriate level of planning and coordination. In spite of being a critical element of any information security policy, incident response is one of the least practiced, most stressful, highly scrutinized task as it requires that incident analysts be well prepared in advance, be quick and calm, and act considering a wide range of possibilities. [40] 

Common cases of information security incidents may include economic espionage, intellectual property theft, unauthorized access to data, stolen passwords, unauthorized or inappropriate use of email and web, malicious code, such as worms with backdoors or trojans, and insider threats.

In dealing with breaches, organizations face the following common challenges: [41] 

Misunderstanding of risks;

Limited understanding of where sensitive data are collected, used, stored, shared and destroyed;

Insufficient emphasis on secure coding practices and security quality assurance;

Permissive access;

No information classification;

Flat architecture;

Duties not segregated;

Third-party connectivity/access;

No access controls and limited physical controls;

End-use computing vulnerabilities;

Limited role and activity based training and guidance.

The ISO/IEC 27002:2005 is a Code of Practice for Information Security Management. It is a well-known guide for the subject and widely used within private organizations as a reference for the information security management. The Section 13 - Information Security Incident Management - deals with information security events, incidents and weaknesses. It intends to provide a framework and a starting point for developing a cyber threat response and reporting capability. It says incidents should be promptly reported and properly managed. An incident reporting or alarm procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc should be informed of their incident reporting responsibilities. [42] 

In addition, responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence. An organization must respond in some way to a computer security breach whether it is an intrusion/hack, the implantation of malicious code such as a virus or worm, or a denial of service attack. The better prepared the organization is to respond quickly and effectively, the better the chance it will have to minimize the damage. [43] 

The ISACA´s "Cybercrime: Incident Response and Digital Forensics" [44] internal control checklist recognize the following steps for reacting efficiently and quickly to information security-related incidents:


Immediate action;

Secondary action;

Evidence collection;

Corrective measures;


Systems administrators duties

Statistics in general indicate that companies are more and more subject to internal and external attacks. The digital economy is pervasive and more and more documents now appear to exist only in electronic means. Even social engineering techniques, which many times target non-authorized physical access, will leave electronic traces in some way. Thus, system and network administrators are many times the first ones to get to know that security incidents or breaches are taking place. The appropriate procedure to collect evidence is vital to the success of any certain case. It is fundamental to understand how to collect evidence, how it may be interpreted and what data will be available to trace criminal actions. [45] 

The AAA [46] architecture, defined by the RFC 2903 [47] , is a familiar concept for system and network professionals, and useful when considering forensics. The model is based on key information security concepts: authentication, authorization and accounting.

Authentication is concerned with the process of positively identifying a user, process or service and ensuring that they have sufficient credentials to enter and use systems and resources. Each usually requires information (account user names and passwords being a good example) that differentiates them uniquely and hopefully undisguisably.

Authorization is concerned with ensuring that resource requests will be granted or denied according to the permission level of the requester.

Accounting is concerned with the monitoring and tracking system activities. From a network security perspective, accounting is often called auditing. Auditing is the process of logging communications links, networks, systems and related resources to ensure that they may be analysed at a later date. Accurate and detailed log files are often key forensics evidence.

Successful auditing relies on the monitoring and creation of log file data for select processes and resources. However, auditing all the events that occur in a modern network environment is completely impractical. In order to have a feasible approach, an assessment should take place to identify what is critical and important to business.

A general principle to follow when developing an audit strategy is to log exceptions and unusual activity, especially when it concerns administrative actions and access to valuable data. Specific intrusion signatures and known attack vectors should be picked up on the periphery of the network, but it is advisable to monitor administrative level actions (as many attackers will seek administrative level rights) as well as successful and unsuccessful attempts to access valuable data, or alter system information (e.g. the creation and deletion of accounts and directories).

A system administrator needs to contact a specialist in the incident response team when in need to collect potential evidence otherwise it can be worthless. This team would be the body responsible for providing the steps and procedures necessary not only to collect digital evidence, but also ensure that it is admissible in court, or, in other words, collect it in such a way as to remain untainted. The principal duty of the systems administrator is to protect systems from tampering, damage or interference of any kind.

Creating value from logs

Logs have been used extensively in the computing industry. Initially, it was mostly concentrated on tweaking, fixing and debugging applications or IT services. Several devices create important log files, such as firewalls, routers, intrusion detection systems, servers etc. Nowadays, logs are widespread and even used as a marketing tool to analyse web sites utilization and to profile customer behaviour.

The main evolution of logs occurred in the 1980s when sendmail [48] remotely delivered its logs to a server for review using the syslog [49] utility. Soon after that, it became a standard and it was adopted by other operating system platforms. [50] However, more recently, vendors are moving to proprietary log formats to provide more detailed and specific information about their own services.

Organization nowadays can generate a huge amount of logs. In average, one company may produce 240 million logs entries per day, which would require a storing capacity of 11 Gb per day or 4 Tb per year. [51] The cost and complexity to collect and manage all this data is not elementary.

Correlating logs from different applications and security devices are critical for organizations to create alert mechanisms. For example, an increase rate of information being trafficked via UDP [52] ports, if associated with an increased number of emails being exchanged, would indicate that an organization is under a hacking attack. The same would also be true if the first would be associated with an increased number of passwords errors coming from network accounts or administrative applications. Viruses and hacking attacks are now being associated with cyber terrorism and have demonstrated an unprecedented level of sophistication.

Regulation, such as Sarbanes Oxley, also poses an interesting drive to log management. While it requires that users only have access to logs that are entitled to have, avoiding security breaches, it requires a structured approach, including: [53] 

Setting targets;

Enforcing targets;

Independently verifying or auditing compliance against targets.

Log management is a powerful mechanism to provide visibility of all usage of one´s organization IT components, and it can be used not only for problem management, as originally designed, but also to support proactive management of security incidents and discovery processes.

The proposal

Concisely, the proposal will tackle the following:

Awareness of legal issues of digital evidence;

Establishment of an incident response team and appropriate processes;

Introduction of a technical solution to support evidence chain of custody and discovery (see figure 1).

The tool is an essential component, as it would back the incident response processes. However, a proposal to address the validity of evidence in courts cannot be complete only addressing technological solutions, as the awareness and understanding of legal issues are vital to guarantee company success in future litigations. In fact, the proposal considers the famous triad for composing a system: people-process-technology.

After receiving the support from top-management, an essential factor of any company-wide effort, the cornerstone of the initiative is an extensive risk assessment in order to identify threats and contextualize the company in relation to its legal knowledge of evidence related issues. Following that, the next element presumes that the incident report team and systems administrators will have to receive appropriate training in legal issues derived from the company's reality of doing business. Legal particularities will have to be considered due possibly to the existence of different jurisdictions and different business sectors. The issues behind the admissibility of evidence, as we have discussed, will have to be fully understood by all involved.

After an appropriate awareness is in place, it is possible to start with the utilization of best practices in incident response processes. As we have seen before, information security standards may help creating appropriate processes to react to cyber threats and establish or review the information security policies. The incident response team empowered also with the duties to set awareness programs and configure related tools must be formed by business representatives from Legal, Financial and Information Technology areas.

Ultimately, a technological solution will work interfaced with relevant systems and integrated with incident response processes allowing the management of the entire lifecycle of digital evidence. It would include the following subcomponents:

Evidence Information Management System (EIMS) - Based on the concept of the Process Information Management Systems (PIMS) used by process industries, it would be responsible for collecting key information from log management systems, transactional systems and other important company-wide IT assets. PIMS are time-based database applications that associate equipment related data to tags. It can represent a pump flow, a motor voltage and even a tag that is an association of the last two. With some elaboration, it can represent graphically the entire subprocesses of an industry plant. In our case, it would be utile to manage alarms that would trigger the incident response team and represent the company as a living organism. In addition, such systems have the ability to "replay" the process data on a given timeframe, being important tool for post incident analysis. It can also be used to run simulations, test the incident response procedures and discovery. Finally, the EIMS would collect metadata of logs and related files in order to allow a better chain of custody of potential digital evidences.

Log Management Systems (LMS) - This component would be responsible for collecting log files from several equipments and systems to provide data for triggering incident or developing forensic analysis. In addition to using the AAA architecture, it would be accompany by a data retention policy that would determine where the data would be stored and for how long.

Privacy Enhancing Technologies (PETs) can be used to depersonalize data order in order to be aligned with privacy preserving policies or local legislation. PETs settings would be fine tuned to reduce or increase personal data collection according to the risk assessment inputs, or even when a litigation hold or court order takes place.

Figure 1 - Overview of an Evidence Information Management System and its components.


Not long ago, companies used to store physically paper records of commercial transactions, meeting minutes, letters, faxes, books etc with great control and hard, but feasible, procedures for discovering data. Nowadays, it makes no more sense to store physically paper documents, as transactions are more and more happening only in the electronic realm. However, an adequate due care of the digital business records is not yet a widespread practice. In addition, internal and external threats to an organization computer infrastructure pose a great harm to its businesses. Taking control of computer misuse evidence is a key factor to not only improve success in litigation, but also proactively assess threats, respond to incidents appropriately, and, most importantly, avoid fraud or financial losses.

Digital evidence must be handled with care. To some extent, it is no different from any type of evidence when it comes to being admissible under the point of view of the rules of evidence. On the other hand, it has unique properties that need to be understood so that no harm to its validity will happen during the course of an investigation.

In aligning technological solutions with appropriate incident response processes and adequate legal knowledge, the issues of digital evidence, information security and compliance would be jointly tackled allowing a company to run its business with better control of related risks and with better chances of success in lawsuits. It seems that the proposed approach has an interesting potential to achieve that.


Books and Articles

BBC," Two held in global PC fraud probe",November 2009, at

Brian Carrier and Eugene H. Spafford, "Getting Physical with the Digital Investigation Process, International Journal of Digital Evidence, November 2003

Daniel J Ryan, Gal Shpantzer, "Legal Aspects of Digital Forensics", George Washington University, at: Issues.doc

Dario Forte, "Log Management for Incident Response", Network Security, Volume 2005, Issue 9

Deloitte & Touch LLP, "Best Practices in Incident Response", SF ISACA, 2009

Digital Forensic Research Workshop, "A Road Map for Digital Forensic Research", DFRWS Technical Report, 2001

Donald Casey, "Turning Log Files into a Security Asset", Network Security, February 2008

Eoghan Casey, "Digital Evidence and Computer Crime", Elsevier, 2th Ed., 2004

Ernst & Young,Outpacing Change, 12th Global Security Survey, 2010

Federal Rules of Civil Procedure at

IETF RFC 2903 Generic AAA Architecture, available at

Dan Sollis, "Compliance for Compliance´s Sake?", ISACA Journal, Volume 1, 2010

ISO/IEC 27002:2005 Information technology - Security techniques - Code of Practice for Information Security Management, Section 13.1

J. Tan, "Forensics Readiness", July 2001, at

Julie Lucas and Brian Moeller, "Effective Incident Response: The Puzzle in Action", Addison-Wesley Professional, 2004

Marcus Rogers, "Cyber Forensics: Evidence Collection, Management and Handling", March 2009

Michael Kemp, Basic Incident Response for Systems Administrators, Network Security, October 2004

NASCIO , "Seek and Ye Shal Find? State CIOs Must Prepare Now for E-Discovery", 2007

Paul R. Rice, "Electronic Evidence - Law and Practice", American Bar Association, 2005

PWC, Global Economic Crime Survey 2009 at

Robert Rowlingson, "A Ten Step Process for Forensic Readiness", International Journal of Digital Evidence, Winter 2004, volume 3, issue

Shipra Arora, "Preventing Internet misuse at the workplace", available at

Vincent Dicarlo, "Summary of the Rules of Evidence" at


Daubert v. Merrel Down Pharmaceuticals, Inc. 509 U.S. 579 (1993)

Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534

R v Ross Pearlstone (Bow Street Magistrates Court)

R v Susan Holmes (Horseferry Road Magistrates Court 15/02/2008)

Zubulake v. UBS Warburg, 2004 WL 1620866 (S.D.N.Y. July 20, 2004)