Chapter 9 - Legal Regulations, Investigations, & Compliance

Question 1

Where does the greatest risk of cybercrime come from? A. Outsiders B. Nation-states C. Insiders D. Script kiddies

Answer 1

C. Insiders

Question 2

What is the largest hindrance to fighting computer crime? A. Computer criminals are generally smarter than computer investigators B. Adequate funding to stay ahead of the computer criminals C. Activity associated with computer crime is truly international D. There are so many more computer criminals than investigators that it is impossible to keep up

Answer 2

C. Activity associated with computer crime is truly international

Question 3

Computer forensics is the marriage of computer science, information technology, and engineering with … A. Law B. Information Systems C. Analytical thought D. The scientific method

Answer 3

A. Law

Question 4

What principal allows an investigator to identify aspects of the person responsible for a crime when, whenever committing a crime, the perpetrator leaves residual traces while stealing information? A. Meyer’s principal of legal impunity B. Criminalistic principals C. IOCE/Group of 8 Nations prinicpals for computer forensics D. Locard’s principle of exchange

Answer 4

D. Locard’s principle of exchange

Question 5

Which of the following is part of the 5 rules of evidence? A. Be authentic, be redundant, and be admissable B. Be complete, be authentic, and be admissable C. Be complete, be redundant, and be authentic D. Be redundant, be admissable, and be complete

Answer 5

B. Be complete, be authentic, and be admissable

Question 6

What is not mentioned as a phase of an incident report? A. Documentation B. Prosecution C. Containment D. Investigation

Answer 6

B. Prosecution

Question 7

Which best emphasizes the abstract concept of law and is influenced by the writings of legal scholars and academics? A. Criminal Law B. Civil Law C. Religious Law D. Administrative Law

Answer 7

B. Civil Law

Question 8

Which type of intellectual property covers the expression of ideas rather than the ideas themselves? A. Trademark B. Patent C. Copyright D. Trade Secret

Answer 8

B. Copyright

Question 9

Which type of intellectual property protects the goodwill a merchant or vendor invests in its products? A. Trademark B. Patent C. Copyright D. Trade Secret

Answer 9

A. Trademark

Question 10

Which of the following are computer forensic guidelines? A. IOCE, MOM, SWGDE B. MOM, SWGDE and IOCE C. IOCE, SWGDE amd ACPO D. ACPO, MOM and IOCE

Answer 10

C. IOCE, SWGDE and ACPO

Question 11

Which of the following are categories of software licensing? A. Freeware, Open Source, and Commercial B. Commercial, Academic, and Open Source C. Academic, Freeware and Open Source D. Freeware, Commercial and Academic

Answer 11

D. Freeware, Commercial, Academic

Question 12

What are the rights and obligations of individuals and organizations with respect to the collection, use, retaintion, and disclosure of personal information BEST related to? A. Privacy B. Secrecy C. Availability D. Reliability

Answer 12

A. Privacy

Question 13

Triage encompasses which of the following incident response subphases? A. Collection, transport, testimony B. Tracebacl, feedback, loopback C. Detection, identification, notification D. Confidentiality, itegrity, availabiliyt

Answer 13

C. Detection, identification, notification

Question 14

The integrity of a forensic bit stream image is determined by: A. Comapring hash totals to the original source B. Keeping good notes C. Taking pictures D. Encrypted keys

Answer 14

A. Comparing hash totals to the original source

Question 15

When dealing with digital evidence,the crime scene A. Must never be altered B. Must be completely reproducible in a court of law C. Must exist only in one country D. Must have the least amount of contamination that is possible

Answer 15

D. Must have the least amount of contamination as possible

Question 16

When outsourcing IT systems A. All regulatory and compliance requirements must be passed on to the provider B. the outsourcing organization is free from compliance obligations C. the outsourced IT systems are free from from compliance obligations D. the provider is free from compliance obligations

Answer 16

A. All regulatory and compliance requirements must be passed on to the provider

Question 17

The (ISC)2 code of ethics resolves conflicts between canons by A. there can never be conflicts between canons B. working through adjudication C. the order of the canons D. vetting all canon conflicts through the coard of directors

Answer 17

C. the order of the canons

Question 18

When dealing with digital evidence, the crime scene A. Must never be altered B. Must be completely reproducible in a court of law C. Must exist only in one country D. Must have the least amount of contamination that is possible

Answer 18

D. Must have the least amount of contamination as possible

Question 19

To ensure proper forensics action when needed, - an incident response progam should … A. Avoid conflicts of interests by ensuring organization legal council is not part of the process B. Routinely create forensic images of all desktops and servers C. Only promote dlosed incidents to law enforcement D. Treat every incident a though it may be a crime

Answer 19

D.Treat every incident as though it may be a crime

Question 20

A hard drive is recovered from a submerged vehicle. The drive is needed for a court case. What is the best approach to pull information off the drive? A. Wait for the drive to dry and then install it is a desktop and attemp to retrieve the information via normal operating system commands B. Place the drive in a forensic oven to dry it and then use a degausser to remove any residual humidity prior to installing the drive in a laptop and using the OS to pull off the information C. While the drive is still wet use a forensic bit to bit copy program to ensure the drive is preserved in its “native” state D. Contact a professional data recovery organization, explain the situation and request they pull a forensic image

Answer 20

D. Contact a professional data recovery organization, explain the situation and request they pull a forensic image

Question 21

Common Law

Answer 21

Based on legal precedents, past decisions, an societal traditions - judges not actively involved in the determination of facts - common law now relies on statutes and regulations: Crimimal, Tort and Administrative. Criminal - harmful to public; tort - against individual or business (origin - criminal law); administrative - artifact of Anglo-American common law lega system = governance of public bodies - proper scope

Question 22

Civil Law

Answer 22

Roman Empire, Napolean-Code of France 1804-thought to be a codification of law, reliance on legislation over jurisprudence - this is not accurate in all places. Emphasizes abstract concepts, influenced by writings legal scholars and academics, judges distinct from lawyers and play a more active role.

Question 23

Customary Law

Answer 23

Reflect’s scoeity’s norms and values

Question 24

Religious Law

Answer 24

Discover truth of law

Question 25

Mixed Law

Answer 25

Convergence of two or more legal systems

Question 26

Liability

Answer 26

Legally responsible - negligence is acting without care or failure to act as a reasonable person

Question 27

Computer Crime

Answer 27

As a tool, as a target (viruses, digital identity theft, computer hacking), or incidental. Greatest risk comes from the inside.

Question 28

Council of Europe (COE) Convention on Cyber crime -

Answer 28

Attempt to respond to criminal behaviors, 30 countries - laws against child porn, ability to prosecute cybercrime, provide international cooperation.

Question 29

Licensing & Intellectual Property

Answer 29

Laws - protect tangible and intangible items.

Question 30

Industrial property

Answer 30

Inventions, trademarks, industrial designs and geographic indications of source

Question 31

Copyright

Answer 31

Literary and artistic work; expression of ideas - minimum 50 years (covered under Berne Convention)

Question 32

Trademark

Answer 32

Good will invested - word, name, symbol, color, sound, product shape, device or a combination to identify goods - registered with government registrar WIPO (UN Agency) manages.

Question 33

Patent (strongest)

Answer 33

Exclude others from practicing invention for a specific time - usually 20 years

Question 34

Trade Secret

Answer 34

not generally known and provides economic benefit, reasonable steps to protect secrecy

Question 35

Licensing Issues

Answer 35

42% worldwide - for every $2 in software legally purchased, $1 pirated

Question 36

Master agreements

Answer 36

General overall condidtions

Question 37

End-user licensing

Answer 37

More granular conditions and restrictions

Question 38

Import/Export

Answer 38

Maybe illegal to import software - e.g. encryption

Question 39

Transborder Data Flow

Answer 39

Developed in one country, transmitted through another, and stored in a third - latter can gain jurisdiction

Question 40

Privacy

Answer 40

Organization of Economic Cooperation and Development (OECD): Collection limiation; Data quality; Purpose specification; Use limitation; Security safeguards; Openness; Individual participation; and Accountability

Question 41

Employee Monitoring and Surveillance

Answer 41

Europe’s Directive in Data Protection: Notice - types of 3rd parties or other uses; Choice - Must be explicit with use - opt out of third party; Onward Transfer - written agreement with third party to adhere to same level of privacy protection; Security - loss, misues, unauthorized access, disclosure, alteration, and destruction protection; Data Integrity - reliable; Access - individual access; Enforcement - complaints investigated, damages awarded

Question 42

Cybernetics

Answer 42

Science of information feedback systems

Question 43

Walter Maner coined

Answer 43

“Computer Ethics”

Question 44

Regulatory requirement

Answer 44

Miminal ethic standard

Question 45

1991 US Federal Sentencing Guidelines for Organizations

Answer 45

Outlines minimal ethical requirements; provides reduced penalties if ethics programs are in place. Leader must be knowledeable about content and operation of program, exercise due diligence, promote ethical culture; Needs 3 sections: purpose of program, 7 minimum requirements, periodically assess.

Question 46

U.S. Sarbanes-Oxley Act

Answer 46

Accounting refore, attest to accuracy of financial reporting documents: Section 103 - Auditing, Quality, Control and Independence - register pulic accounting firms, establish audit and quality control ethics; New Item 406(a) - Regulation S-K companies disclose - written code of ethics applied to senior officers, any waivers to above, changes to code, and if no code of ethics explain why not.

Question 47

Computers in the Workplace

Answer 47

How they impact health and job satisfaction, computer crime, privacy and anonymity

Question 48

Debate on Intellectual Property

Answer 48

Free or get money for development efforts?

Question 49

Professional Responsibility and Globalization

Answer 49

Gloabal laws, business, education, information flows, rich & poor nations, and interpretation

Question 50

Computer Game Fallacy

Answer 50

Computers work with exacting accuracy; if computer allows it, it must be permissable

Question 51

Law-abiding Citizen Fallacy

Answer 51

Laws and reasonable behavior - some users do not realize ramifications of actions

Question 52

Shatter Proof Fallacy

Answer 52

What a person does with computer can do minimal harm - not considering impact of actions

Question 53

Candy from a baby Fallacy

Answer 53

Easy doesn’t make it right

Question 54

Hacker Fallacy

Answer 54

Acceptable to do anything as long as motivation isto learn and not profit

Question 55

Free information fallacy

Answer 55

Information wants to be free - emerged from so easy to ccopy

Question 56

Hacker

Answer 56

Originally a person who sought to understood - soon it became associated with Phreaking

Question 57

Stephen Levy - Hacker Ethic

Answer 57

• Access to compters unlimited - all information free - authority shold be mistrusted & decetralization promoted - hackers should be judeged solely on hacking skills - computers can create art and beauty - computer can change life for the better

Question 58

3 main hacker functions

Answer 58

-promote belief of individual activity -support free market approach to exchange of information -promote belief that computers can have a beneficial and life changing effect

Question 59

Code of Fair Information Practices

Answer 59

Similar to: Organization of Economic Cooperation and Development (OECD): Collection limiation; Data quality; Purpose specification; Use limitation; Security safeguards; Openness; Individual participation; and Accountability

Question 60

Internet Architecture Board (IAB) and RFC 1087

Answer 60

Unethical to: -gain unathorized access -disrupt intended use of internet -waste resources -destroy integirty of computer-based information -compromise privacy of users

Question 61

Computer Ethics Institute - 10 commandments

Answer 61

1. Thou shall not use a computer to harm other people 2. Thou shall not interfere with other people’s computer work 3. Thou shall not snoop around in other people’s computer files 4. Thou shall not use a computer to steal 5. Thou shall not use a computer to bear false witness 6. Thou shall not copy or use propreitary software for which you have not paid 7. Thou shall not use other people’s computer resources without authorization or proper compensation 8. Thou shall not appropriate other people’s intellectual output 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing 10. Thou shalt always use a computer in ways that insure consideration and respect for you fellow humans

Question 62

National Conference on Computing Values

Answer 62

1. Preserve public trust and confidence in computers 2. Enforce fair information practices 3. Protect the legitimate interests of the constituents of the system 4. Resist fraud, waste, and abuse

Question 63

Working Group on Computer Ethics - End User’s Basic Tenets

Answer 63

1. I understand that just because something is legal, it isn’t necessary moral or right. 2. I understand that people are the ones hurt when computers are used unethically. The fact that computers exist between me and those harmed does not change moral responsibility toward my fellow human 3. I will respect the rights of authors - just because copying is easy, it is not necessarily right 4. I will not break into other people’s computers or read their information 5. I will not write, acquire or distribute harmful software

Question 64

National Computer Ethics and Responsiblities Campaign (NCERC)

Answer 64

Foster computer ethics awareness and education

Question 65

(ISC)2 Code of Professional Ethics

Answer 65

Professionals resolve conflicts between the canons in the order of the canons. Preamble - adhere to the code Canons: - Protect society, Common Wealth, & Infrastructure - Act honorably, honestly, justly, responsibly, legally - Provide diligent and competent service to principals -Advance and protect the profession

Question 66

Peter Tippett’s Action Plan to instill ethical computer culture

Answer 66

1. Develop guide to computer ethics 2. Develop policy to computer ethics 3. Add information to employee handbook 4. Expand business ethics policy 5. Learn about it 6. Foster awareness 7. E-mail privacy policy 8. Make sure employees know policy

Question 67

Golden Rule (Grupe, Garcia-Jay, Kuechler)

Answer 67

Treat others as you would like to be treated

Question 68

Kant’s Categorical Imperitive (Grupe, Garcia-Jay, Kuechler)

Answer 68

Action not right for everyone, not right for anyone

Question 69

Descartes’ Rule of change (Grupe, Garcia-Jay, Kuechler)

Answer 69

Action not repeatable at all times, not right at any time

Question 70

Utilitarian Principle (Grupe, Garcia-Jay, Kuechler)

Answer 70

Take action that achieves the greatest good

Question 71

Risk Aversion Principle (Grupe, Garcia-Jay, Kuechler)

Answer 71

Incure least harm or cost

Question 72

Avoid Harm (Grupe, Garcia-Jay, Kuechler)

Answer 72

Do no harm

Question 73

No Free Lunch (Grupe, Garcia-Jay, Kuechler)

Answer 73

All property and information belongs to someone

Question 74

Legalism (Grupe, Garcia-Jay, Kuechler)

Answer 74

Is it against the law?

Question 75

Professionalism (Grupe, Garcia-Jay, Kuechler)

Answer 75

Is action contrary to code of ethics?

Question 76

Evidentiary Guidance (Grupe, Garcia-Jay, Kuechler)

Answer 76

Is there evidence to support or deny the value of taking an action?

Question 77

Client Choice (Grupe, Garcia-Jay, Kuechler)

Answer 77

Let the people affected decide

Question 78

Equity (Grupe, Garcia-Jay, Kuechler)

Answer 78

Will cost and benefits be equally distributed?

Question 79

Competition (Grupe, Garcia-Jay, Kuechler)

Answer 79

Knowledge of Market - build/buy - aware of risk?

Question 80

Compassion/Last Chance (Grupe, Garcia-Jay, Kuechler)

Answer 80

Equal opportunities exist?

Question 81

Impartiality/Objectivity (Grupe, Garcia-Jay, Kuechler)

Answer 81

Are decisions biased?

Question 82

Openness/Full Disclosure (Grupe, Garcia-Jay, Kuechler)

Answer 82

Are people affected aware of system, data being collected?

Question 83

Confidentiality (Grupe, Garcia-Jay, Kuechler)

Answer 83

Protect information where need to know is not proven, security features reduces to hold down expenses

Question 84

Trustworthiness/Honesty (Grupe, Garcia-Jay, Kuechler)

Answer 84

Accountable for actions

Question 85

Michael Davis Ethics Code

Answer 85

Contract between professionals

Question 86

Donn Parker Ethical Principles

Answer 86

1. Informed consent 2. Higher ethic in the worst case 3. Change of scale test 4. Owners’ conservation of ownership 5. Users’ conservation of ownership

Question 87

Digital Investigation

Answer 87

Methodical, verifiable, & auditable - set of procedures and practices

Question 88

Digital Forensic Science

Answer 88

Collection, Validation, identification, analysis, interpretation, documentation, and presentation of digital evidence

Question 89

International Organization of Computer Evidence

Answer 89

(IOCE)

Question 90

Scientific Working Group in Digital Evidence

Answer 90

(SWGDE)

Question 91

Association of Chief POlice Officers

Answer 91

(ACPO)

Question 92

Generic Guidelines for Forensic Evidence

Answer 92

• Identifying Evidence - Collecting or Acquiring Evidence - Examing or Analyzing the Evidence - Presentation of Findings

Question 93

Crime Scene

Answer 93

Indentify the scene, protect the environment, identify evidence and potential sources of evidence, collect evidence, and minimize the degree of contamination - both physical (servers) and virtual (Data)

Question 94

Locard’s Principle of Exchange

Answer 94

When a crime is committed the perpetrators leave something behind and take something with them

Question 95

MOM

Answer 95

Means, Motive and Opportunity

Question 96

MO

Answer 96

Modus of operandi - method of operation

Question 97

Incident Response

Answer 97

Identifying root cause correctly and quickly is extremely important

Question 98

General Guidelines for Investigation

Answer 98

• All general forensic principles apply also with digital evidence - actions should not change the evidence - person should be trained to access original digital evidence - all activity relating to seizure, access, storage, or transfer must be documented, preserved and available for review - individual is responsible for all actions while digital evidence is in his possession - agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles

Question 99

Advice for any form of incident response

Answer 99

Act ethically, in good faith, attempt to do no harm, and do not exceed one’s knowledge, skills and abilities

Question 100

Rule of Thumb for Investigator’s Methodology

Answer 100

• Minimize handling/corruption of original data - Account for any changes and keep logs - Comply with 5 rules of evidence - Don’t exceed knowledge - Follow your local security policy and obtain written permission - Capture as accurate an image of the system as possible - Be prepared to testify - Ensure your actions are repeatable - Work fast - Proceed from volatile to persistent evidence - Do not run any programs on the affected system

Question 101

Framework for Incident Handling

Answer 101

• Creation of a Response Capability - Incident Response & HAndling - Recovery & Feedback

Question 102

CERT/CC - Computer Emergency Response Team Coordination Center at Carnegie Melon

Answer 102

Incident handling model is circular and feeds back into itself - can be broken down into triage, investigation, containment, and analysis and tracking.

Question 103

Triage Phase

Answer 103

Encompasses detection, identification and notification. False positives are one of the most time consuming aspects of information security. If not a false positive then the next step is to classify the type of incident then down to more specific and granular characteristics - this determines the level of potential risk/criticality and to determine notifications required.

Question 104

Investigative Phase

Answer 104

Analysis, interpretation, reaction, and recovery from an incident. Desired outcome is to reduce impact, identify root cause, get back up and running and prevent a reoccurrence.

Question 105

Containment

Answer 105

Reduce the number of other systems and devices that can become affected. Proper documentation must be maintained.

Question 106

Analysis and Tracking

Answer 106

Focus on determining root cause - look at initial event, not just the symptoms. Attempt to determin source and point of entry. Ability to read and parse through large log files.

Question 107

Recovery Phase

Answer 107

Get system back up and running. Also, so it can withstand another directed incident. Before putting back it should be tested for vulnerabilities and weaknesses.

Question 108

Chain of Custody

Answer 108

who, what, when, where, and how the evidence was handled from identification through its entire life cycle which ends with destruction or permanent archiving.

Question 109

Ensuirng authenticity and integrity of evidence is critical.

Answer 109

Currently relies on hash functions that create unique numberical signatures that are sensitive to any bit changes, e.g. SHA-256

Question 110

Interviewing

Answer 110

An art and science - only properly trained individuals. Investigator can be charged if violations of policy, law or constituional rights are violated. Do not conduct alone and video tape if possible. Legal counsel should be present.

Question 111

End of Incident Phase

Answer 111

Should not end without debriefing and feedback - metric data can start being built as well.

Question 112

Five rules of evidence

Answer 112

• Be authentic - Be accurate - Be complete - Be convincing - Be admissable

Question 113

Media analysis

Answer 113

recovery of information for hard drvise, DVDs, CD-ROMs or portable memory devices

Question 114

Network Analysis

Answer 114

Coined by Markus Ranum. Data from network logs and network activity

Question 115

Software Analysis

Answer 115

anaysis and examination of program code

Question 116

Author identification

Answer 116

unique style and eccentricities

Question 117

Content analysis

Answer 117

Finding purpose of the code

Question 118

Context analysis

Answer 118

develop meta view of the impact of the suspicious software

Question 119

US National Institute of Standards for hardware/embedded devices

Answer 119

• no actions performed by investigators should change data contained on digital devices or storage media - individuals accessing original data must be competent to do so and have the ability to explain their actions - an audit trail or other record of applied processes, suitable for independent third party review, must be created and preserved, accurately documenting each investigative step - the person in charge of the investigation has overall responsibility for ensuring the above mentioned procedures are followed in compliance with governing laws - upon seizing digital evidence, actions taken should not change that evidence - when it is necessary for a person to access original digital evidence, that person must be forensically competent -all activity relating to the seizure, access, storage, or transfer of digital evidence must be full documented, preserved, and available for review - an individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession

Question 120

Health Insurance Portablity and Accontability Act (HIPPA)

Answer 120

Law reuires organizations to comply with reporting information security breaches and several other controls - failure to comply mean fines for an organization

Question 121

Federal Information Security Management Act (FISMA)

Answer 121

Requires agencies to self-audit and have an independent auditor review their security implementation annually