NCJ Number
193189
Date Published
2001
Length
31 pages
Annotation
This is a guide concerning the initial response to a computer incident for both system administrators and security personnel.
Abstract
When a breach of security or criminal act involving a computer is suspected, it is essential to ensure protection of the data within the storage media. The stored data are invaluable in determining the level of security breach and the location of potential evidence concerning a criminal act. This manual describes the initial response to a security incident or criminal act involving a computer as more important than later technical analysis of the computer system. The success of data recovery and potential prosecution is dependent on the actions of the individual who initially discovers a computer incident. Under no circumstances should anyone, with the exception of laboratory personnel, make any attempts to restore or recover information from a computer system. The entire workstation or office is a potential crime scene, and should be secured and protected to maintain the integrity of the scene and the data storage media. Once initial security has been established, the scene should not be left unattended or unsecured until processing of the scene is completed. Appendixes