In order to be able to successfully prosecute an intruder:
Click on the arrows to vote for the correct answer
A. B. C. D.B.
If you intend on prosecuting an intruder, evidence has to be collected in a lawful manner and, most importantly, protected through a secure chain-of-custody procedure that tracks who has been involved in handling the evidence and where it has been stored.
All other choices are all important points, but not the best answer, since no prosecution is possible without a proper, provable chain of custody of evidence.
Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 282- 285).
In order to successfully prosecute an intruder, certain procedures need to be followed to ensure that the evidence collected is admissible in court. The following are the steps that should be taken:
A. Designate a Point of Contact: A point of contact should be designated to be responsible for communicating with law enforcement and other external agencies. This person should have the necessary authority to make decisions and provide information to the authorities, and should be available 24/7. They should also be trained in handling legal matters, including chain of custody and evidence handling.
B. Preserve Chain of Custody: A proper chain of custody of evidence has to be preserved. This means that a record should be kept of who had access to the evidence and when, and the evidence should be securely stored in a tamper-evident manner. This ensures that the evidence can be traced back to its source, and that it has not been tampered with or altered in any way.
C. Follow Predefined Procedures for Evidence Collection: Collection of evidence has to be done following predefined procedures. These procedures should be designed to ensure that the evidence is collected in a manner that does not alter or destroy it. The procedures should also ensure that the evidence is collected in a manner that is consistent with legal requirements, such as those related to privacy and chain of custody.
D. Analyze Replica of Compromised Resource: Whenever possible, analyze a replica of the compromised resource, not the original, thereby avoiding inadvertently tampering with evidence. This is important because any alterations to the original could make it inadmissible in court. Therefore, it is important to work with a replica or copy of the original to conduct the analysis and preserve the original as evidence.
In conclusion, successful prosecution of an intruder requires proper evidence handling, preservation of chain of custody, adherence to predefined procedures for evidence collection, and analysis of a replica of the compromised resource whenever possible. These steps will help ensure that the evidence collected is admissible in court and can be used to prosecute the intruder.