19 - Investigation and Ethics Flashcards
What are the different Investigation Types?
- Administrative: Examines either operational issues or a violation of the organization’s policies.
- Criminal: Conducted by law enforcement, may result in charging someone with a crime. Usually must meet Beyond a Reasonable Doubt standard of evidence.
- Civil: Usually done on behalf of a legal team and may result with evidence for a civil court case. Usually must meet the Preponderance of the Evidence standard (more likely than not).
- Regulatory: Determines if an individual or organization has violated administrative law.
- Electronic Discovery (eDiscovery): Processing electronic information for disclosure.
What are the 9 steps of eDiscovery?
- Information Governance: Organizes data for future efforts
- Identification: Locate relevant info
- Preservation: Protect info
- Collection: Gather info in central location
- Processing: Removes irrelevant info
- Review: Determines what info is relevant to the request and removes any privileged info.
- Analysis: Deeper inspection of content and context
- Production: Put info format that may be shared with others.
- Presentation: Displays info to witnesses. the court, and other parties.
What are the requirements for Admissible Evidence?
- Must be relevant to determining a fact
- The fact must be related to the case
- The evidence must be competent (must be obtained legally)
What are the different types of Evidence?
- Real Evidence (Object Evidence): Things that may be physically/actually brought into court
-
Documentary Evidence: Written items that may prove a fact at hand but also must be authenticated.
- Best Evidence Rule: Original copies must be used when available
- Parol Evidence Rule: When an agreement between parties is put into written form, the written doc is assumed to contain all the terms of the agreement.
- Testimonial Evidence: Testimony of a witness, verbal or written. Requires an oath of truth and personal knowledge of the testimony, must not be hearsay.
What is Chain of Custody?
Documents everyone who has handled or taken responsibility for the evidence and when they handed it off to someone off.
A label can be included that has:
- Description
- Time/Date Collected
- The exact location of origin
- Name of Collector
- Relevant circumstances surrounding it
What are the 6 principles of digital analysis outlined by IOCE?
- All general forensic and procedural principles must be applied.
- Actions taken should not change the evidence
- Only trained personnel should be able to access original evidence
- All activity related to the evidence should be documented, preserved, and available for review
- An individual is responsible for all actions taken when evidence is in their possession.
- Any agency responsible for evidence must comply with these principles.
What are the different types of Forensic Analysis?
- Media Analysis: Identification and extraction of info from storage media.
-
Network Analysis: Interest in the activity that took place over the network during an incident. Produce a comprehensive picture from different sources.
- IDS/IPS logs
- Flow data
- Packet captures
- Firewall/network devices logs
- Software Analysis: Review of an application, its running code, and/or logs to look for signs of malicious activity.
- Hardware/Embedded Device Analysis: Review of devices such as PCs, smartphones, tablets, and embedded devices in vehicles, security systems, etc.
What are some steps in the Investigation Process?
- Gathering Evidence: Confiscate equipment when necessary, use a subpoena, search warrant
- Calling in Law Enforcement
-
Conducting the Investigation:
- Never conduct an investigation an the actual system. Always make a copy.
- Never “Hack Back”
- Call in expert assistance.
-
Interviewing Individuals: Speaking with individuals who might have info relevant to your investigation.
- Interview: Gather only info to assist in your investigation
- Interrogation: If you suspect the person is involved in the crime and intend to use that info in court.
-
Data Integrity and Retention:
- Protect all logs. Consider remote logging to prevent purging
- Ensure data has not been tampered with
- Report and Documenting Investigations: Final report that documents the goals, procedures followed, evidence collected, and final results.
What are the different categories of Computer Crime?
- Military and Intelligence Attacks: Launched to primarily obtain secret/restricted info from LE/military resources.
-
Business Attacks: Illegally obtaining an organization’s confidential info.
- aka Corporate Espionage
- Financial Attacks: To unlawfully obtain money or services.
- Terrorist Attacks: To instill fear and cause disruption to normal life.
- Grudge Attacks: Attacks motivated by resentment or someone who wishes ill will to an organization.
- Thrill Attacks: Attacks launched only for the fun of it.
What is a Computer Crime?
Any crime or violation of law/regulation, that involves a computer.
What are Ethics?
The rules that govern personal conduct.
What is the ISC2 Code of Ethics?
-
Preamble:
- The safety and welfare of society and the common good, duty to our principles, and to each other requires that we adhere to the highest ethical standards of behavior.
- Therefore, strict adherence to this code is a condition of certification
-
Canons:
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principles.
- Advance and protect the profession.
What are the activities that are outlined in RFC 1087 that are considered unethical?
- Seeks to gain unauthorized access to the resources of the internet
- Disrupts the intended use of the internet
- Wastes resources
- Destroys the integrity of computer-based information
- Compromises the privacy of uses.
What are the 10 Commandments of Computer Ethics?
- Thou shalt not use a computer to harm other people
- Thou shalt not interfere with other people’s computer work
- Thou shalt not snoop around in other people’s computer files
- Thou shalt not use a computer to steal
- Thou shalt not use a computer to bear false witness
- Thou shalt not copy proprietary software for which you have not paid
- Thou shalt not use people’s resources without authorization or proper compensation
- Thou shalt not appropriate other people’s intellectual output
- Thou shalt think about the social consequences of the program you are writing or the system you are designing
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.