15 Digital Forensics Flashcards
What are the key objectives covered in Chapter 15?
Domain 4.0: Security Operations
Includes 4.8 Explain appropriate incident response activities.
What is digital forensics?
Investigation and analysis tools and techniques to determine what happened on a system or device.
What is the purpose of digital forensics?
To respond to legal holds and electronic discovery requirements, support internal investigations, and assist in incident response.
What are legal holds?
Notifications sent by opposing counsel to preserve and retain data.
What is chain of custody?
Practices that ensure the integrity of evidence in the electronic discovery process.
What does forensic data acquisition involve?
Capturing forensic artifacts at greatest risk of being lost, known as the order of volatility.
What is the order of volatility?
Identifies forensic artifacts that need to be captured first due to their risk of being lost.
What must be ensured for data captured in digital forensics?
That it is admissible in court and useful as evidence.
What is required for digital forensic preservation efforts?
Tools and agreements to handle the need for forensic data from cloud providers.
What are examples of forensic acquisition tools?
- dd
- FTK Imager
- WinHex
Why is validation important in digital forensics?
To ensure the integrity and accuracy of the forensic data captured.
How can image validation be performed?
Manually.
What should a forensic report include?
Details about the findings and processes used in the investigation.
What role does forensics play in intelligence and counterintelligence?
To support activities related to data analysis and incident response.
What is digital forensics used for?
Responding to legal cases, conducting internal investigations, supporting incident response processes
Digital forensics techniques are essential for various organizational tasks.
What types of data can be acquired in digital forensics?
Drives, files, copies of live memory, digital artifacts
Digital forensic data can come from multiple sources generated during normal computer and network usage.
Why is planning forensic information gathering crucial?
To have a complete and intact picture of what occurred
Effective planning ensures all relevant data is collected for analysis.
What role does documentation play in digital forensics?
Necessary for observing, concluding from data, and supporting conclusions
Documentation includes timelines, sequences of events, and evidence.
What can interviews with individuals involved in a case provide?
Important clues
Understanding human behavior is essential in forensic investigations.
What is a legal hold?
A notice to preserve data and records that might be destroyed or modified
Legal holds are crucial when litigation is pending or anticipated.
Define ‘spoliation of evidence’.
Intentionally, recklessly, or negligently altering, destroying, fabricating, hiding, or withholding evidence
Spoliation can negatively impact an organization in court.
What is e-discovery?
An electronic discovery process for obtaining evidence in legal cases
E-discovery is part of the broader discovery process.
List the nine stages of the Electronic Discovery Reference Model (EDRM).
- Information governance
- Identification
- Preservation
- Collection
- Processing
- Review
- Analysis
- Production
- Presentation
The EDRM provides a framework for managing e-discovery.
What is the challenge of preserving electronic information?
Data is frequently used or modified, complicating preservation under legal holds
Organizations must effectively manage data to comply with legal requirements.