Which of the following is a correct statement regarding computer forensics?
A.
It is the study of computer technology.
B.
It is a set of hardware-specific processes that must be followed in order for evidence to be admissible in a court of law.
C.
It encompasses network and code analysis, and may be referred to as electronic data discovery.
D.
Computer forensics responsibilities should be assigned to a network administrator before an incident occurs.
Explanation:
C: Forensics is a science and an art that requires specialized techniques for the recovery, authentication, and analysis of electronic data that could have
been affected by a criminal act. It is the coming together of computer science, information technology, and engineering with the legal system. When
discussing computer forensics with others, you might hear the terms digital forensics, network forensics, electronic data discovery, cyber forensics, and
forensic computing. (ISC)2 uses computer forensics as a synonym for all of these other terms, so that’s what you will most likely see on the CISSP exam.
Computer forensics encompasses all domains in which evidence is in a digital or electronic form, either in storage or on the wire.
A is incorrect because computer forensics involves more than just the study of information technology. It encompasses the study of information
technology but stretches into evidence gathering and protecting and working within specific legal systems.
B is incorrect because computer forensics does not refer to hardware or software. It is a set of specific processes relating to reconstruction of computer
usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data, and computer usage that must
be followed in order for evidence to be admissible in a court of law.
D is incorrect because computer forensics should be conducted by people with the proper training and skill set, which could or could not be the network
administrator. Digital evidence can be fragile and must be worked with appropriately. If someone reboots the attacked system or inspects various files, it
could corrupt viable evidence, change timestamps on key files, and erase footprints the criminal may have left.