New Horizons is the world’s largest independent IT training company, delivering a full range of technology and business skills training through innovative learning methods.

Become a fan on our Facebook page, where you can be among the first to learn about our newest offerings, announcements and promotions, read our blog, or start a discussion.

Log onto Facebook and then go to our Facebook Page: http://www.facebook.com/pages/New-Horizons-Computer-Learning-Centers/32813801266.

Simply click on the “Become a Fan” link at the top right side of the page.

Computer security is one of the hottest topics on the certification front — and rightly so. However, many IT professionals are unaware of a security subspecialty that’s becoming increasingly popular, namely computer forensics. The exact job duties of a computer forensics examiner may vary, but often include:

• Collecting and packaging computer hardware and digital evidence in a way that preserves its integrity and the chain of custody.
• Creating an inventory and storing computer-related evidence in a secure manner.
• Examining the contents of digital media, including memory, hard disks, and removable media to view and analyze the data recorded there.
• Using data recovery techniques and software to uncover hidden or deleted data.
• Cracking passwords to obtain access to data.
• Decrypting data that has been protected with encryption.
• Presenting detailed reports and charts to document the results of the examination and analysis.
• Assisting law enforcement agents in preparing search warrants, assisting prosecutors in preparing cases for court, assisting civil litigants in preparing cases, assisting defense attorneys in preparing cases, and/or assisting corporate IT departments in responding to and analyzing security breaches and other incidents.
• Testifying in court in computer crime cases and civil lawsuits involving digital evidence.

Related Courses from New Horizons:

• Computer Hacking Forensics Investigator
• Forensics Bootcamp

As a database professional, you aren’t necessarily a legal expert. Yet, you may find yourself in a situation where you need to respond to a computer crime incident, assist with an investigation, or pass information to either an internal investigative committee or a judicial proceeding. If you don’t handle evidence properly, chances are you won’t be very successful in prosecuting the perpetrator. We’ll provide some guidelines to help manage evidence related to a computer crime.

Computer forensics defined

According to Wikipedia, computer forensics is "application of the scientific method to digital media in order to establish factual information for judicial review." This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities.

If a data-related crime is committed, you may work with a computer forensics expert, who will:

1. Identify sources of evidence.
2. Preserve the evidence.
3. Analyze the evidence.
4. Present the findings.

Computer forensics must adhere to the standards of evidence that are admissible in a court of law. As such, computer forensics must be techno-legal in nature rather than purely technical or purely legal.

As a DBA, you may also want to apply the principles of computer forensics to help force your organization’s established policies.

Types of evidence

Evidence is anything that proves or disproves an assertion or fact. With respect to a legal proceeding, evidence must meet these criteria:

• Sufficiency. The evidence must be convincing and unquestionable.
• Competency. The evidence must be legally qualified and reliable.
• Relevancy. The evidence must be material to the case or have a bearing on the matter at hand.

As you may suspect, not all evidence is created equal. The most convincing evidence is that which can be proven directly through the five senses: hearing, smelling, seeing, touching, and tasting. This type of evidence is described below along with other (less convincing) types of evidence:

• Direct evidence. Knowledge of the facts surrounding an incident, e.g. an eye witness’s oral testimony. The witness must have obtained the knowledge through his five senses rather than through inferences or presumptions.
• Physical evidence. Real, tangible objects that prove or disprove a fact, e.g. an intruder’s possession of stolen data. This type of evidence links the suspect to the crime.
• Documentary evidence. Evidence in the form of printed documentation — e.g. audit logs or video surveillance tapes. This is the most common type of evidence associated with computer crime.
• Demonstrative evidence. Aids that prove that an incident occurred — e.g., models, exhibits, and charts. This type of evidence is typically presented to a jury to help them understand the facts.

Guidelines for handling evidence

You may be called upon to present evidence to an internal investigative team or to a court of law. In the former case, you need to be able to answer many questions regarding the evidence; in the latter case, you need to demonstrate credibility. To prepare for either situation, you should be familiar with established guidelines for handling evidence.

Collecting evidence

If you’re involved in the investigating an incident, you’ll need to gather as much evidence as you can. It’s critical that you start the process early because, in all likelihood, the individual who committed the crime will try to conceal their involvement. As time passes, the evidence is susceptible to tampering or even destruction. Here are some actions you can take immediately upon discovering an incident:

• Print copies of audit logs, as they may be subpoenaed. A backup of the database or transaction logs may also be helpful.
• Secure all types of removable media (CDs, USB flash drives, floppy disks, etc.).
• Look for relevant physical evidence on the desk and surrounding areas. It can be helpful to take photos of the target system from several different angles both inside and outside the machine. If possible, use a Polaroid camera; otherwise, the defense team can claim the photos were altered during film development.

Identifying evidence

While you’re collecting evidence, it’s critical that you identify each item and its relation to the crime scene. You should be as methodical as possible and elicit the help of another individual who can serve as a witness to your actions. As you collect each piece of evidence, label it and record information about it in a log book. The information you log should minimally include the following entries:

• Item name and description.
• Name of individual who discovered it.
• Date, time, and location of discovery.
• Make, model, and serial number if available.
• Identifying marks on the item.
• Any perceivable physical damage to the item.

Tip:
Besides being a backup for missing labels, the log book can help you review information about the evidence prior to a formal hearing.

Protecting evidence

After you’ve collected and identified the evidence, you need to protect it from damage. Damage may result from environmental factors, such as extreme temperatures or variations in humidity, or from physical factors, such as vibration or electromagnetic fields. The best way to protect evidence is to handle it with anti-static gloves (as opposed to latex gloves).

Transporting evidence

If you need to transport the evidence, make sure that you use proper packing techniques. Even if the evidence is in a sealed bag or other type of container, avoid using foam peanuts, as doing so increases the chances that the evidence becomes tainted. Use solid foam padding to wrap the evidence container, and then store the container in a sturdy cardboard box. Label the box contents, using the log book entries you created earlier in the process.

Storing evidence

In addition to storing evidence in sealable anti-static bags and packaging it appropriately, you should keep it in a secure room. The evidence room should have minimal traffic, restricted access, camera monitoring, and entry logging capabilities.

Chain of custody

Another component of managing evidence is the concept of chain of custody. Chain of custody refers to an accounting of all persons and events related to the handling of the evidence from the time it is first collected to the time it’s submitted to the court. Here’s a list of critical steps in the chain of custody process:

1. Record each item collected as evidence.
2. Record who collected the evidence along with the date and time of collection.
3. Write a description of the evidence in your log book.
4. Put the evidence in containers; tag the containers with the name of the person who collected the evidence as well as the date and time.
5. Record all hash values in the documentation.
6. Securely transport the evidence to a protected storage facility.
7. Obtain a signature from the person who accepts the evidence at the storage facility.
8. Provide controls to prevent access to the evidence while it’s in storage.
9. Securely transport the evidence to the court for legal proceedings.

Special considerations for digital media

In crimes involving stolen data, magnetic and optical discs become key pieces of evidence. Here are some practical guidelines for protecting evidence related to digital media:

• Don’t power down a system before you perform a RAM memory dump.
• Never use diagnostic tools or utilities to analyze a system; doing so can compromise the true state of the data at the time the crime was discovered.
• Use a bit-level, sector-based imaging utility to capture the state of the data; make several copies of the drive and analyze only the copies.
• Don’t restart the machine and boot back into the operating system, as this can also change the true state of the media.

Related Courses

• Computer Hacking Forensics Investigator
• Forensics Bootcamp

Full system backups — images that contain your computers’ OS, system files, programs, and personal files — require software that can be too expensive for a company to purchase. With Windows Vista, software costs no longer keep you from protecting your users against their own hasty deletions or against hardware failure. We’ll show you how to create an image of your computer with Windows Vista backup features for simple restorations if a computer catastrophe strikes.

Note: No images for Home users
Don’t be surprised by missing backup options if you support some users with Vista Home Basic or Home Premium. The Complete PC Backup option is available only to Vista Business, Ultimate, and Enterprise users.

Take note of backup device options

Before you even open the Windows Complete PC Backup wizard, you need to know a few things about potential backup devices. Because Windows will take a backup image of the computer, it can’t write the backup to the primary hard partition or to a partition formatted FAT32. It also can’t write to a mapped network drive or UNC path. Your only options for backup devices are:

• Secondary partitions
• Secondary hard drives
• DVD drive

If your computer doesn’t have a secondary partition or drive, or they are not large enough to store the image, you must use the DVD option.

Downside: The DVD option requires multiple DVDs. All those DVDs increase your costs associated with buying and storing the DVDs, as well as the time you’ll spend swapping DVDs each time you create or restore a backup.

Create your first backup

Windows Vista comes loaded with the Backup and Restore Center which you can launch from Control Panel. Users who have administrative tokens can use the Center to initiate Complete PC backups and to initiate a restore of that backup. We’ll start there.

To perform a Complete PC backup from the Backup and Restore Center:

1. Select Start Control Panel Backup And Restore Center.
2. In the Backup And Restore Center’s Back Up Files Or Your Entire Computer section, click on the Back Up Computer button.
3. Windows Complete PC Backup scans your computer for available storage devices.
4. On the Where Do You Want To Save The Backup page, the wizard lists each hard drive and DVD burner available. View a list by selecting the corresponding dropdown list.
5. Select the option button for the type of device and the particular drive you’ll use; click Next.
6. On the next page you must choose which hard drives to include in your backup. Select the check boxes for each drive or partition you want to back up and click Next.
7. On the Confirm Your Backup Settings page, review your selections. If you selected the DVD option, the wizard estimates how many DVDs you’ll need. Click Start Backup when you’re ready.

Windows Complete PC Backup now creates the image based on your specifications. The process takes considerable time to complete — up to an hour or more — depending on the total size of your backup.

Are you prepared for a catastrophe?

You should never rely on a backup without testing it first. With Vista, once the image has been created, you should view the folder structure on your hard drive or DVDs. But don’t relax just because you can see the folders — restore the image right away to make sure you can count on it if the computer fails.

Caution:
In case your image does fail you, be sure to backup any critical files onto a protected network share, USB flash drive, or DVD before you proceed.

Restore your image

You can launch a Complete PC restore from the Windows Vista installation DVD or from the Windows Recovery Environment.

To restore your PC with the Windows installation DVD:

1. With your computer configured to boot from the DVD drive, insert your Vista install DVD and reboot.
2. Follow the prompts to continue and to choose your language settings. Click Next.
3. Click Repair Your Computer.
4. Select Windows Complete PC Restore from the System Recovery Options menu.
5. Select the operating system you want to repair, and then click Next. The Windows Disaster Recovery wizard opens.
6. Attach or insert your backup media, and then step through the wizard to complete the restoration.

To restore using Windows recovery options (if you installed them previously):

1. Restart the computer.
2. Press the [F8] key after the BIOS sequence and before the Windows logo appears.
   

   Tip:
   If your computer has more than one operating system installed, use the arrow keys to highlight the operating system you want to start, and then press
   [F8].

3. Select Repair Your Computer from the Advanced Boot Options menu, and then press [Enter].
4. Select a keyboard layout, and then click Next.
5. Select a user name and enter the password, and then click OK.
6. Select Windows Complete PC Restore from the System Recovery Options menu.
7. Attach or insert your backup media, and then follow the instructions to complete the restoration.

Related Courses

• 5115 Installing and Configuring the Windows Vista™ Operating System
• 5117 Installing, Configuring, Troubleshooting, and Maintaining Windows Vista®
• Windows Vista - Level 1
• Windows Vista - Level 2

Terms like soft page break, hard page break, next page section break, and odd page section break can make your head spin. Worse yet, they can lead you to choose back-door formatting options (such as repeated hard returns) when you know there must be a more logical approach to solving your problem. In this article, we’ll help you brush up on your knowledge of breaks, and we’ll help you decide the best method for breaking up your document’s pages, columns, and formatting.

Basic page breaks
There are two types of basic page breaks: automatic page breaks and manual page breaks. Both break types are easy to work with, and the effects of each are straightforward.

Automatic page breaks
Word inserts automatic (or soft) page breaks automatically as you fill each page and begin another page. The location of an automatic page break adjusts and readjusts automatically as you revise your document.

You can see where pages break in Print Layout view, Print Preview, and Normal view:

• In Normal view, an automatic page break appears as a single dotted line across the page.
• In Print Layout (or Page Layout) view and Print Preview mode, automatic page breaks are indicated by the graphical representations of entire pages.

Manual page breaks
Although Word’s automatic page breaks are handy, you’ll sometimes want to begin a new page before the current page is full. To do so, insert a manual page break. Use manual page breaks when you want to prevent text or tables from breaking across pages.
To insert a manual page break:

1. Select Insert Break from the menu bar to open the Break dialog box.
2. Select the Page Break option button, and then click OK. As an alternative, you can also add a manual page break simply by pressing [Ctrl][Enter] (this isn’t available on the Mac).

How manual page breaks appear:

• In Normal view, manual page breaks appear as dotted lines marked Page Break.
• In Print Layout (or Page Layout) view and Print Preview mode, manual page breaks are indicated by the graphical representations of entire pages.

Section breaks
Section breaks divide a document into smaller pieces, or sections, for formatting and page layout purposes. By dividing a document into sections, you can isolate page formatting to a portion of your document instead of the whole document. When you use page breaks, you can vary elements such as margins, page orientation, headers and footers, page number sequence, and document protection.

To insert a section break:

1. Select Insert Break from the menu bar to open the Break dialog box.
2. Select the desired break type from the Section Break Types area and click OK.

Section breaks are displayed in Normal view. You can also see them in Print Layout view if you select the Show/Hide button on the Standard toolbar. Section breaks are represented in your document as a double dotted line that contains the name of the section break applied.

Next, let’s take a closer look at how each type of section break works.

Next page section breaks
A next page section break inserts a section break at the insertion point and moves everything that follows to a new section beginning on the following page. A next page section break is different from a manual page break because it classifies the document portions both before and after the break as sections. When you use next page section breaks, you can apply specialized page formatting to each section. When you use manual page breaks, you cannot.

Tip:
If you’re applying changes to your document in the Page Setup dialog box, you can insert a next page section break on the fly by selecting This Point Forward from the Apply To dropdown list. When you click OK, Word inserts a next page section break at the insertion point and applies your changes to the document text following the section break.

Continuous section breaks
You can use continuous section breaks to divide your document into sections without including page breaks. This way, you have the freedom to allow your documents’ pages to break automatically as necessary, but you still have the power to apply isolated formatting to single sections in your document. Continuous section breaks are particularly handy when you want to use different numbers of columns on the same page, as with a flyer or a newsletter.

Even page and odd page section breaks
Even page and odd page section breaks work much the same as next page section breaks. Each inserts a section break at the insertion point and begins a new section. However, instead of beginning the new section on the next page, as the next page section break does, even page and odd page section breaks begin the new section on the next even- or odd-numbered page, respectively.

For example, if you insert an odd page section break on page 3 of your document, Word inserts a section break and begins the new section on page 5. Even page and odd page section breaks are useful when your document contains chapters and you want each new chapter to begin on either an even- or an odd-numbered page.

Adapt for Word 2007
In Word 2007, you can access any of the page breaks we discuss in this article through the Page Layout ribbon. In the Page Setup area, click the Breaks button and choose from the list of possible page and section breaks. You can also quickly insert a page break from the Insert ribbon. In the Pages section, click the Page Break button to immediately insert a page break.

Column breaks
Column breaks are special tools that enable you to control where to end a column in a multi-column document.

To insert a column break:

1. Select Insert Break from the menu bar.
2. Select the Column Break option button, and then click OK.

When you insert a column break, Word ends the column and moves all the text that follows to the next column. Column breaks are useful tools for fixing uneven columns. They’re denoted in Normal view and Print Layout (or Page Layout) view with a single dotted line and the words Column Break.

Text Wrapping breaks
Text Wrapping breaks are much like column breaks, except that they break lines of text instead of columns of text. Text wrapping breaks are available in all versions of Word 2000 and later except on the Mac.

To insert a Text Wrapping break:

1. Select Insert Break from the menu bar.
2. Select the Text Wrapping Break option in the Break dialog box and click OK.

Word denotes a text wrapping break by an arrow at the end of the line in Normal view and Print Layout (or Page Layout) view, and it begins the text that follows on a new line.

Conditional break techniques
The options available in the Break dialog box aren’t the end of the line when it comes to creative page breaking. You can also insert page breaks using the Line And Page Breaks property sheet.

To use the Line And Page Breaks property sheet:

1. Select Format Paragraph from the menu bar.
2. Click on the Line And Page Breaks tab.
3. Make the selections you’d like and click OK to apply the changes.

Here are the four features on the Line And Page Breaks sheet that you can use to control where Word places automatic page breaks as you type:

• Widow/Orphan Control. This feature prevents Word from printing the last line of a paragraph at the top of a page or the first line of a paragraph at the bottom of a page. Instead, Word adjusts the placement of automatic page breaks to allow at least two lines of a paragraph to appear at the top or bottom of a page.
• Keep Lines Together. This feature prevents Word from inserting a page break in the middle of a paragraph.
• Keep With Next. This feature prevents Word from inserting a page break between the selected paragraph and the paragraph that follows it.
• Page Break Before. This feature tells Word to insert a manual page break before the selected paragraph, ensuring that it begins on a new page.

Related Courses

• Word 2000, 2002, 2003, 2007 & 2007 New Features
• 4008 Building Better Microsoft Office Word 2003 Documents in Less Time