System Forensics
RFC 3227 is a handy resource for students interested in the challenges of beginning the recovery process:
http://www.faqs.org/rfcs/rfc3227.html
I hadn’t known about this until reviewing a paper recently. This (short) RFC contains some guidelines for performing forensics on a compromised computer system. Nothing earth-shattering, but it does provide a nice collection of principles.
Why do these practices matter? Because expert witnesses and the legal system can easily question the quality of digital evidence:
http://www.piercelaw.edu/assets/pdf/release-mavis-case-expert-report.pdf
(this report received Slashdot coverage last summer).
