Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Postmortmem versus Live Forensics > Postmortmem versus Live Forensics - Pg. 90

90 Chapter 5 · Incident Response: Live Forensics and Investigations Introduction To pull or not to pull the plug, that is the question.Today, cyber crime inves- tigators are faced with the grueling task of deciding whether shutting down a computer system is the most efficient and effective method to gather potential electronic evidence.Traditionally, computer forensics experts agreed that shut- ting the computer system down in order to preserve evidence and eliminate the potential changing of information is best practice prior to examination. I remember having the phrases "shut it down," and "don't change anything" beaten into my brain during the numerous trainings I've attended throughout the years. However, one of the fundamental misconceptions with this philos- ophy is that computer forensics is the same as physical forensics. I would argue that they are not the same, given that computer forensics technology changes faster than traditional forensics disciplines like ballistics, serology, and fingerprint analysis.The second misconception is that we always collect everything at a physical crime scene. In a physical forensics environment, we