CHFI_CH1 Flashcards
Rule 105
Limited Admissibility, If the court admits evidence that is admissible against a party or for a purpose — but not against another party or for another purpose — the court, on timely request, must restrict the evidence to its proper scope and instruct the jury accordingly.”
Incident Response Flow
Step 1: Preparation for Incident Handling
Step 2: Incident Recording and Assignment
Step 3: Incident Triage
Step 4: Notification
Step 5: Containment
Sep 6: Evidence Gathering and Forensic Analysis
Step 7: Eradication
Step 8: Recovery
volatile data examples
RAM the most volatile data is discarded when the device is powered off. Also system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.
The Electronic Communications Privacy Act
This act and the Stored Wire Electronic Communications Act are commonly referred together as the Electronic Communications Privacy Act (ECPA) of 1986, which comes under 18 U.S.C. §§ 2510-2523.
SWGDE Principle 1
In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system.
SWDGE 1.7
Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.
SWDGE 1.6
All activity related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
SWDGE 1.5
The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure.
SWDGE 1.4
The agency must maintain written copies of appropriate technical procedures.
SWDGE 1.3
States SOP’s must generally be accepted or supported by data gathered and recorded in a scientific manner.
SWDGE 1.2
Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
SWDGE 1.1
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.
SOC Workflow
Collection
Ingestion
Validation
Reporting
Response
Documentation
Singapore
Computer Misuse Act
Sarbanes-Oxley Act (SOX) of 2002
An act passed by U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. TheSarbanes-Oxley Act (SOX) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.
Rule 1004
Admissibility of Other Evidence of Content: An original is not required and other evidence of the content of a writing, recording, or photograph is admissible if:
a. all the originals are lost or destroyed, and not by the proponent acting in bad faith;
b. an original cannot be obtained by any available judicial process;
c. the party against whom the original would be offered had control of the original; was at that time put on notice, by pleadings or otherwise, that the original would be a subject of proof at the trial or hearing; and fails to produce it at the trial or hearing; or
d. the writing, recording, or photograph is not closely related to a controlling issue.
Rule 1003
Admissibility of Duplicate: A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate.
Rule 1002:
Requirement of the Original: An original writing, recording, or photograph is required in order to prove its content unless these rules or a federal statute provides otherwise.
Rule 1001: Definitions that apply to this article
(a) A “writing” consists of letters, words, numbers, or their equivalent set down in any form.
(b) A “recording” consists of letters, words, numbers, or their equivalent recorded in any manner.
(c) A “photograph” means a photographic image or its equivalent stored in any form.
(d) An “original” of a writing or recording means the writing or recording itself or any counterpart intended to have the same effect by the person who executed or issued it.
(e) A “duplicate” means a counterpart produced by a mechanical, photographic, chemical, electronic, or other equivalent process or technique that accurately reproduces the original.
Rule 901
Authenticating or Identifying Evidence: In general. To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.
Rule 804
Exceptions to the Rule Against Hearsay-When the Declarant is Unavailable as a Witness
Rule 803
Exceptions to the Rule Against Hearsay-Regardless of Whether the Declarant is Available as a Witness: Parts 1-23
Rule 801: Definitions That Apply to This Article; Exclusions from Hearsay
“Hearsay” means a statement that
1. the declarant does not make while testifying at the current trial or hearing and
2. a party offers in evidence to prove the truth of the matter asserted in the statement.
Rule 801 Statements That Are Not Hearsay. Part 2
- An Opposing Party’s Statement. The statement is offered against an opposing party and A. was made by the party in an individual or representative capacity; B. is one the party manifested that it adopted or believed to be true;
C. was made by a person whom the party authorized to make a statement on the subject;
D. was made by the party’s agent or employee on a matter within the scope of that relationship and while it existed; or
E. was made by the party’s coconspirator during and in furtherance of the conspiracy.
The statement must be considered but does not by itself establish the declarant’s authority under (C); the existence or scope of the relationship under (D); or the existence of the conspiracy or participation in it under (E).
Rule 801 Statements That Are Not Hearsay. Part 1
- A Declarant-Witness’s Prior Statement.
A. is inconsistent with the declarant’s testimony and was given under penalty of perjury at a trial, hearing, or other proceeding or in a deposition;
B. is consistent with the declarant’s testimony and is offered:
i. to rebut an express or implied charge that the declarant recently fabricated it or acted from a recent improper influence or motive in so testifying; or
ii. to rehabilitate the declarant’s credibility as a witness when attacked on another ground; or
C. identifies a person as someone the declarant perceived earlier.
Rule 705
Disclosing the Facts or Data Underlying an Expert’s Opinion: Unless the court orders otherwise, an expert may state an opinion — and give the reasons for it — without first testifying to the underlying facts or data. But the expert may be required to disclose those facts or data on cross-examination.
Rule 701: Opinion Testimony by Lay Witnesses
If a witness is not testifying as an expert, testimony in the form of an opinion is limited to one that is:
a. rationally based on the witness’s perception;
b. helpful to clearly understanding the witness’s testimony or to determining a fact in issue; and
c. not based on scientific, technical, or other specialized knowledge within the scope of Rule 702.
Rule 614
Court’s Calling or Examining a Witness: a. Calling. The court may call a witness on its own or at a party’s request. Each party is entitled to cross-examine the witness.
b. Examining. The court may examine a witness regardless of who calls the witness.
c. Objections. A party may object to the court’s calling or examining a witness either at that time or at the next opportunity when the jury is not present.
Rule 609
Impeachment by Evidence of a Criminal Conviction
a. In general
b. Limit on using the evidence after 10 years.
c. Effect of a pardon, annulment, or certificate of rehabilitation.
d. Juvenile adjudications.
e. Pendency of an appeal
Rule 608. A Witness’s Character for Truthfulness or Untruthfulness
a. Reputation or opinion evidence.
b. Specific instances of conduct.
Rule 502
Attorney-Client Privilege and Work Product; Limitations on Waiver, Disclosure made in a federal proceeding or to a federal office or agency; scope of a waiver.
Rule 402
General Admissibility of Relevant Evidence, Relevant evidence is admissible unless any of the following provides otherwise: ▪ the United States Constitution; ▪ a federal statute; ▪ these rules; or ▪ other rules prescribed by the Supreme Court
Rule 104 : 1-5
Preliminary Questions:
1. Questions of admissibility in general
2. Relevancy conditioned on a fact
3. Conducting a hearing so that the jury cannot hear it
4. Cross-examining a defendant in a criminal case
5. Evidence relevant to weight and credibility
Rule 103.
Rulings on Evidence
(a) Preserving a Claim of Error
b Not needing to renew an objection or offer of proof
c Court’s statement about the ruling; directing an offer of proof
d Preventing the jury from hearing inadmissible evidence
e Taking Notice of Plain Error
Rule 102. Purpose
These rules should be construed so as to administer every proceeding fairly, eliminate unjustifiable expense and delay, and promote the development of evidence law, to the end of ascertaining the truth and securing a just determination.
Rule 101. Scope
These rules apply to proceedings in United States courts. The specific courts and proceedings to which the rules apply, along with exceptions, are set out in Rule 1101.
Privacy Act of 1974
5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.
Philippines
The Data Privacy Act of 2012 seeks to ensure “the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
non-volatile data examples
permanent data on secondary storage, hard disks, and memory cards. hidden files, slack space, swap file, index data files, unallocated clusters, unused partitions, hidden partition, registry settings, and event logs
National Information Infrastructure Protection Act of 1996
Revises federal criminal code provisions regarding fraud and related activity in connection with computers.
Italy
Penal Code Article 615 ter
India
Information Technology Act
Incident Response Process Flow
Step 1: Preparation for Incident Handling and Response
Step 2: Incident Recording and Assignment
Step 3: Incident Triage
Step 4: Notification
Step 5: Containment
Step 6: Evidence Gathering and Forensic Analysis
Step 7: Eradication
Step 8: Recovery
Step 9: Post-Incident Activities
Hong Kong
Cap. 486 Personal Data (Privacy) Ordinance (PDPO)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Provides federal protections for individually identifiable health information held by covered entities and their business associates and offers patients an array of rights with respect to such information.
Gramm-Leach-Bliley Act (GLBA)
Enacted in 1999, requires financial institutions-companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive data.
Germany
Section 202a. Data Espionage
General Data Protection Regulation (GDPR)
Proposed set of regulations adopted by the European Union to protect Internet users from clandestine tracking and unauthorized personal data usage.
Freedom of Information Act (FOIA)
1966 law that allows citizens to obtain copies of most public records
Foreign Intelligence Surveillance Act of 1978 (FISA)
FISA prescribes procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power.
Federal Information Security Modernization Act of 2014 (FISMA)
FISMA was introduced as an amendment to the Federal Information Security Management Act of 2002, which was implemented to provide a framework for federal information systems to have more effective information security controls in place.
ECPA Title III
addresses pen register and trap and trace devices and requires government entities to obtain a court order authorizing the installation and use of a pen register.
ECPA Title II
SCA
Also called the Stored Communications Act (SCA), Title II protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers, such as subscriber name, billing records, or IP addresses.
ECPA Title I
Prohibits the intentional, actual, or attempted interception, use, disclosure, or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.” Title I also prohibits the use of illegally obtained communications as evidence.
digital evidence
Evidence consisting of information stored or transmitted in electronic form.
Data Protection Act 2018
Aims to protect the rights of the owners of data - the data subjects. It does not protect the data itself.
cybercrime
Any illegal Internet-mediated activity that takes place in electronic networks, computers, or its application
criminal cases
involve actions that go against the interests of society, the burden of proving that the accused is guilty lies entirely with the prosecution. Cases that are considered harmful to society and involve action by law enforcement.
Computer Security Act of 1987
one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices
civil investigation
disputes between two parties, such as an individual versus a company; an individual versus another individual; a company versus another; or in some countries, a government regulatory agency versus an individual (or a company)
Canada
Canadian Criminal Code Section 342.1
Brazil
Unauthorized modification or alteration of the information system
Best Evidence Rule
states that the court only allows the original evidence of a document, photograph, or recording at the trial and not a copy.
Belgium
Article 550(b) of the Criminal Code - Computer Hacking
Australia laws
Cybercrime Act 2001 and Information Privacy Act 2014
administrative investigation
-Part of regulation involves ensuring conduct is legitimate
-May investigate organizations or individuals to discover if its employees, clients, and partners are complying with rules or polices
ACPO Principle 4
The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
ACPO Principle 3
An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
ACPO Principle 2
competency
In circumstances where a person finds it necessary to access original data held on a computer, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
ACPO Principle 1
Intergrity
No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data, which may subsequently be relied upon in court.
