Chapter 18: Incidents and Ethics Flashcards
What are the requirements for evidence to be admissible?
It must be relevant to determining a fact
The fact must be material to the case
The evidence must be competent (legally obtained)
What are the types of evidence?
Real, documentary, testimonial
What is real evidence
Things that can actually be brought into a courtroom, such as a murder weapon or a computer.
What is documentary evidence?
Any written items brought into court to prove a fact.
What is the best evidence rule?
The original document must be used unless certain exceptions apply.
What is the parol evidence rule?
When an agreement between parties is put into writing, it is assumed to be the complete agreement and no verbal agreements may modify it.
What is testimonial evidence?
Evidence consisting of the testimony of a witness either verbal or written.
What is the IOCE
International Organization on Computer Evidence
What are the six principles to guide digital evidence collection?
1) All of the general forensic and procedural principles must be applied
2) Actions taken should not change the evidence
3) When it’s necessary to access the original, the person should be trained for the purpose
4) All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
5) An individual is responsible for all actions taken with respect to digital evidence while it is in their possession
6) Any gency responsible for seizure, access, storage, or transfer of digital evidence must adhere to these principles.
What is media analysis?
The branch of computer forensic analysis concerned with identification and extraction of information from storage media.
What sources does network analysis draw from?
IDS/IPS logs, network flow captured by a flow monitoring system, packet captures collected during an incident, logs from firewalls and other network security devices
What is software analysis?
Examination of a running application or review of software code to look for logic bombs, back doors, or other vulnerabilities. Can also include log review.
What is hardware/embedded device analysis?
Examination of the contents of PCs, smart phones, tablets, and embedded computers in cars, security systems, and other devices.
What are the principles of conducting an investigation?
Never conduct the investigation ont he actual compromised system. Take it offline and make a backup.
Never hack back.
If in doubt, call in expert assistance.
Begin using formal interviewing and interrogation techniques.
What are the major categores of computer crime?
military and intelligence attacks business attacks financial attacks terrorist attacks grudge attacks thrill attacks
