Chapter 13 - Legal Issues

Question 1

What are the different phases of the Security Incident Lifecycle?

Answer 1

1. Preparation
2. Detection, Analysis, Escalation
3. Containment
4. Eradication
5. Recovery
6. Reporting
   - some organizations may have regulatory and legal requirements to report any significant data breaches
7. Lessons Learned
8. Implement Countermeasures

Question 2

When handling evidence, what must be done in order to ensure evidence integrity and validity?

Answer 2

Chain of Custody

Question 3

What are the three phases of a Computer Forensic Investigation?

Answer 3

1. Acquisition
2. Authentication
3. Analysis

Question 4

What are some examples of common Forensic Toolkits?

Answer 4

Forensic Toolkit (FTK)
- Disk imaging, scanning and disk examination

Computer Online Forensic Evidence Extractor (COFEE)
- MS data analysis, distributed by Interpol

The Coroners Toolkit (TCT) The Sleuth Kit (TST)
- UNIX based analysis

Question 5

What is the Daubert Method?

Answer 5

The Daubert Method confirms the validity of evidence presented at a court of law.

Question 6

What are the 5 different components of the Daubert Method?

Answer 6

1. Testability
   - Has the technique been empirically tested and is it reliable and replicable?
2. Acceptance
   - Has the technique been subject to peer review and publication?
3. Error Rate
   - What is the known error rate of the technique?
4. Credibility
   - What are the expert’s qualifications and is the technique replicable?
5. Clarity
   - Can the technique, methodology and result be explained with sufficient clarity in a court of law?