Chapter 19 Investigations Flashcards
What is the electronic discovery reference model?
Each side has a duty to preserve evidence and share information with the adversary. Appies to both paper and electronic records. The Electronic Discovery Reference Model (EDRM) has 9 aspects:
–Information governance: information should be well-organized
–Identification: Locates information that may be responsive to a discovery request
–Preservation: Ensures potentially discoverable information is not deleted or altered
–Collection: Gathers the related information
–Processing: Screens the collected information to perform a ““rough cut”” of irrelevant information
–Review: Examines remaining information to see what is relevant and what is protected by attorney-client privilege
–Analysis: Performs deeper inspection of remaining information
–Production: Places the information into a format where it can be shared
–Presentation: Displays the information to witnesses, the court, and other parties
What are the requirements for evidence to be admissible?
Three basic requirements. Must be relevant to determining a fact. The fact that the evidence supports must be material to the case. The evidence must be competent–must have been obtained legally.
What are the types of evidence?
Real evidence. AKA object evidence. Things that can be brought into a court. Murder weapon, clothing, seized computer equipment, keyboard with fingerprints, etc. May also be considered ““conclusive”” evidence, like DNA, that cannot be refuted.
Documentary evidence. Any written items brought into the court. Must be authenticated. For example, if you introduce a computer log, a witness must testify that the log was collected as a routine business practice and is the actual log that the system collected. Two additional evidences rules that apply: the original evidence should be introduced, based on the ““best evidence”” rule. Also, the parol evidence rule says that when an agreement between parties is put into written form, the written agreement is assumed to contan all terms; verbal agreements do not apply.
Testiminal evidence. Either verbal testimony in court or written testimony in a deposition. Must take an oath, and must have personal knowledge. usuallly must be direct evidence, ie based on direct observation, unless it’s expert opinion.
Demonstrative evvidence. used to support testimonial evidence. Items that may or may not have been admitted separately, but can be used to help a witness explain a concept. example: a diagram explaining the contents of a network packet or showing the process used to conduct a DDoS.
What are best practices for collecting digital evidence?
Only professionals should attempt to collect digital evidence. the International Organization on Computer Evidence (IOCE) outlines six principles:
–When dealing with digital evidence, all general forensic and procedural principles must be applied
–Upon seizing digital evidence, actions taken should not change the evidence
–When it is necessary for a purpose to access original digital evidence, that person should be trained
–All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented
–An individual is responsible for all actions taken with respect to the digital evidence while in their possession
–Any agency that is responsible for these actions is responsible for compliance with these principles
As you conduct forensics, you must preserve the original evidence. work with a copy of the evidence whenever possible.
Media analysis: ID and extraction of information from storage media. Includes magnetic and optical media. Includes recovery of deleted files, live analysis of storage media connected to computer systems, and static analysis of forensic images. Analysts should never access hard drives or other media from a live system. Instead power off the system after collecting other evidence, remove the storage device, and then attach the storage device to a dedicated forensic workstation, using a write blocker. After connecting a device to a live workstation, the analyst should immediately calculate a hash of the device contents and use forensic tools to create an image. the analyst should then computer a hash of the image to confirm it is identical to the original. then preserve the original as evidence and use copies for analysis.
In-memory analysis: Invesigators may want to collect information from the memory of live systems. This is hard to do without altering the contents. use trusted tools to conduct a memory dump file and place it on a forensically prepared device such as a USB drive. It should contain all the contents and can be used for analysis. Compute a hash of the file. Work from copies.
Network analysis: If you don’t record at the time of the incident, the information is generally not retained. So you either need prior knowledge an incident is underway or use preexisting security controls that log network activity. These include IPDS logs, network flow data from a flow monitoring system, PCAP collected during an incident, and firewall logs. When collecting data during live analysis, use a SP/AN port on a switch. If not possible, run a software protocol analyzer.
Software analysis: May need to review applications or activity that takes place within applications. for example, if malicious insiders are suspected, may need to check code for logic bombs, backdoors, etc. Also may need to review logs from applications or database servers.
Hardware/Embedded Device analysis: Personal computers, smartphones, tablet computers, and embedded systems.
What does the IsC code of ethics say?
Adherence to the code is a condition of certification.
Protect society, the common good, and infrastructure.
Act honorably, justly, responsibly, and legally.
Provide diligent and competent service.
Advance and protect the profession.
Anyone can file a complaint about the first two; only an employer with a contracting relationship with someone can file a complaint under III, and other professionals (including anyone licensed or certified under a code of ethics) can complain under IV.
What does RFC 1087 say about ethics?
RFC 1087 from the Internet Architecture Board says you should not seek to gain unauthorized access; disrupt the intended use of the internet; waste resources through such actions; destroy the integrity of computer-based information; or compromise the privacy of users.