Chapter 19 Flashcards
Administrative investigations
- examine operational issues or violation of org policies
- may be operational investigation - less stringent evidence; root cause analysis -> remediation
- if not operational, then may require stronger standard evidence
Criminal investigations
- violation of criminal law
- evidence must prove beyond reasonable doubt
Civil investigations
- preponderance of evidence
- evidence demonstrates outcome as more likely than not
Regulatory investigations
- conducted by gov’t against administrative law
- can sometimes be against industry standards by orgs
Electronic Discovery Reference Model (EDRM)
a.k.a. eDiscovery
- Info governance - well organized for future eDiscrovery
- Identification - locate
- Preservation - prevent alteration or deletion
- Collection - gather centrally
- Processing - rough cut
- Review - remove irrelevant info or attorney-client privilege info
- Analysis - deeper screening
- Production - put in sharable format
- Presentation
Admissible Evidence
- evidence must be relevant
- evidenced fact must be material (related to case)
- must be competent (legally obtained)
Types of evidence
- Real evidence (objects)
- Documentary evidence
- Best evidence rule - original
- Parol evidence rule - must be written agreement, no verbal change - Testimonial evidence
- Direct evidence
- Expert opinion - 3rd party SME - Demonstrative evidence - items used to support testimonial evidence
Artifacts and evidence collection guidleines
- Must not change evidence
- Must be forensically competent
- Activities must be documented
- Responsible for everything
- Agents must also adhere to these guidelines
Types of analysis
Media analysis
In-memory analysis
Network analysis
Software analysis
Hardware/Embedded device analysis
Media analysis
- use write blocker to prevent accidental write
- take hash
- take back up
In-memory analsys
- take mem dump
- take hash
Locard’s Exchange Principle
Every contact leaves a trace
- applies to digital world as well
Investigation Process
- Gathering evidence
- Calling in law enforcement
- Conducting Investigation
- Interview individuals
- Data integrity and retention
- Document the investigation
Gathering evidence
- voluntary surrender
- subpoena
- plain view doctrine - can seize if in plain sight
- search warrant
- exigent circumstance - seize if believe will be destroyed
Fourth amendment (as applied to warrants)
- must have warrant to search
- only probably cause needed to issue warrant
- warrant must have specific scope
Interview - gather info
Interrogation - question suspect of crime and use in court
Types of Computer Crime
- Military and intelligence attacks
- Business attacks
- Financial attacks
- Terrorist attacks
- Grudge attacks
- Thrill attacks
- Hacktivist attacks - political motivation
ISC2 Code of Ethics
- Protect society, the common good, necessary public trust and
confidence, and the infrastructure. - Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
Complains:
Canon 1 & 2 - Member of public
Canon 3 - principal
Canon 4 - Any certified professional
- Must be in writing and in form of sworn affidavit
RFC 1807 - acceptable Internet use
Should not:
- unauthorized access to resources
- disrupt intended use
- wasteful use of resources
- destroy integrity of info
- compromise user privacy
