What is Chain of Evidence in the context of security forensics?
A.
The concept that evidence is controlled and accounted for as to not disrupt its authenticity and integrity
B.
The concept that evidence is controlled in locked down, but not necessarily authenticated
C.
The concept that if a person has possession of evidence someone knows where the evidence is and can say who had it if it is not logged
D.
The concept that the general whereabouts of evidence is known
Explanation:
Forensic investigations typically consist of two phases. The first phase, known as the exploratory phase, is an attempt by the investigator to identify the nature of the problem at hand and to define what s/he thinks transpired at the scene of the incident. Once the investigator has determined what s/he thinks took place the induction ends and the deduction, i.e. the evidence phase, begins.
Chain-of-Evidence Model
The Chain-of-Evidence Model illustrates the discrete sets of actions carried out by an insider attempting to inflict malicious damage in an intranet environment. One group of actions is separated from another, based on the level of authority required to execute them. Each group of actions has a different corresponding source of evidence that must be responsible for documenting activity for forensic purposes. However each such source of evidence must be linked to the logs next to it (see above figure) in order to form a complete chain of evidence. The figure above starts with physical access to computer systems that must precede any malicious activity. It is in this stage that the crucial link between physical recognition and computer recognition take place. Following log-on procedures the user proceeds to invoke the services of a network application that must be used as a vehicle to inflict damage on a remote system. The network application issues the malicious network traffic that reaches a remote computer and executes the intended behavior.
