CISSP ch 19

Question 1

EDRM

Answer 1

Electronic Discovery Reference Model – standard process for conducting eDiscovery:

Information governance

Identification

Preservation

Collection

Processing

Review

Analysis

Production

Presentation

Question 2

Information governance (EDRM)

Answer 2

Ensures that information is well organized for future eDiscovery efforts

Question 3

Identification (EDRM)

Answer 3

Locates the information that may be responsive to a discovery request when the organization believes that litigation is likely

Question 4

Preservation (EDRM)

Answer 4

Ensures that potentially discoverable information is protected against alteration or deletion

Question 5

Collection (EDRM)

Answer 5

Gathers the relevant information centrally for use in the eDiscovery process

Question 6

Processing (EDRM)

Answer 6

Screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring a detailed screening

Question 7

Review (EDRM)

Answer 7

Examines the remaining information to determine what information is relevant to the request and removing any information protected by attorney-client privilege

Question 8

Analysis (EDRM)

Answer 8

Performs deeper inspection of the content and context of remaining information

Question 9

Production (EDRM)

Answer 9

Places the information into a format that may be shared with others and delivers it other parties, such as opposing counsel

Question 10

Presentation (EDRM)

Answer 10

Displays the information to witnesses, the court and other parties

Question 11

Artifacts

Answer 11

items of evidence that you maintain and may use in court, may include physical devices, logs and data generated by those devices

Question 12

NIST SP 800-86

Answer 12

National Institute of Standards and Technology’s Guide to Integrating Forensic Techniques into Incident Response

Question 13

Admissible evidence

Answer 13

Relevant, material and competent

Evidence must be relevant to determining a fact;

Fact that the evidence seeks to determine must be material (i.e., related) to the case; AND

Evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would inadmissible because it is not competent.

Question 14

Real / object evidence

Answer 14

Things that may actually be brought into a court of law

Examples in criminal case: murder weapon, clothing or other physical objects

Examples in computer crime case: seized computer equipment, keyboard with fingerprints on it, hard drive from a malicious hacker’s computer system

Must be authenticated

Question 15

Authentication of real/object evidence

Answer 15

Witness must identify an object as unique and unaltered

If not possible to identify an object as unique, chain of evidence / chain of custody must be established

Chain of evidence documents everyone who handles the evidence, including the police who originally collects it, the evidence technicians who process it, the lawyers who use it in court

Location of the evidence must be fully documented from the moment it was collected to the moment it appears in court

Requires thorough labelling of evidence and comprehensive logs, noting who had access to the evidence at specific times and the reasons they required such access

Each person who handles the evidence must sign the chain of custody log, indicating the time they took direct responsibility for the evidence and the time they handed it off to the next person in the chain of custody

Question 16

Content of chain of custody label

Answer 16

General description of the evidence

Time and date the evidence was collected

Exact location the evidence was collected from

Name of the person collecting the evidence

Relevant circumstances surrounding the collection

Question 17

Authentication of documentary evidence

Answer 17

E.g., if an attorney wants to introduce a computer log as evidence, they must bring a witness (e.g., a system administrator) into court to testify that the log was collected as a routine business practice and is indeed the actual log that the system collected

Question 18

parole evidence rule

Answer 18

When an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement

Question 19

business records exception to hearsay rule

Answer 19

Business records, such as the logs generated by a computer system, may be admitted as evidence if they were made at the time of the event by someone or something with direct knowledge, that they were kept in the course of regular business activity, and that keeping those records is a regular practice of the organization.

Business records can be authenticated / admitted by being accompanied by the testimony of an individual qualified to show that these criteria were met

Question 20

demonstrative evidence

Answer 20

Evidence used to support testimonial evidence

Consists of items that may or may not be admitted into evidence themselves but are used to help a witness explain a concept or clarify an issue

E.g., a diagram explaining the contents of a network packet or showing the process used to conduct a distributed denial of service attack

Admissibility of demonstrative evidence is a matter left to the trial court with the general principle that demonstrative evidence must assist the jury in understanding a case

Question 21

IOCE

Answer 21

International Organization on Computer Evidence

Question 22

IOCE principles

Answer 22

Principles to guide digital evidence technicians as they perform media analysis, network analysis and software analysis in the pursuit of forensically recovered evidence:

All general forensic and procedural principles must be applied

Upon seizing digital evidence, actions taken should not change that evidence

When it is necessary for a person to access original digital evidence, that person should be trained for this purpose

All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review

An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession

Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles

Question 23

Media analysis techniques

Answer 23

Recovery of deleted files from unallocated sectors of the physical disk

Live analysis of storage media connected to a computer system (especially useful when examining encrypted media

Static analysis of forensic images of storage media

Should never access hard drives or other media from a live system. Should power off the system, remove the storage device and then attach the storage device to a dedicated forensic workstation, using a write blocker.

After connecting the device to a live workstation, analyst should immediately calculate a cryptographic hash of the device contents and then use forensic tools to create a forensic image of the device: a bitwise copy of the data stored on the device

Analyst should then compute the cryptographic hash of that image to ensure that it is identical to the original media contents

Question 24

Write blocker

Answer 24

hardware adapters that physically sever the portion of the cable used to connect the storage device that would write data to the device, reducing the likelihood of accidental tampering

Question 25

in memory analysis

Answer 25

Can be difficult to work with memory to work with without actually altering its contents

When gathering the contents of memory, analysts should use trusted tools to generate a memory dump file and place it on a forensically prepared device, such as a USB drive.

Should compute a cryptographic hash of the dump file to later prove its authenticity

Question 26

memory dump file

Answer 26

contains all contents collected from memory and may then be used for analysis

Question 27

tools for network analysis

Answer 27

When collecting data directly from a network during a live analysis, forensic technicians should use

a SPAN port on a switch (mirrors data sent to one or more other ports) or

a network tap (a hardware device that performs the same function as a SPAN port)

both these approaches generate packet dumps without actually altering the network traffic

when not possible, analyst must run a software protocol analyzer on one of the communicating systems, but this approach is not as reliable as using a dedicated hardware device

Question 28

NSRL

Answer 28

National Software Reference Library (NSRL) maintained by the National Institute of Standards and Technology includes the cryptographic hash values for over 130 million known applications, making it easier for forensic analysts to detect authentic and manipulated files

Question 29

Scientific Working Group on Digital Evidence

Answer 29

a consortium of forensic analysts led by the US FBI – produces detailed guidance on gathering digital evidence from many different sources

Question 30

Plain view seizure

Answer 30

law enforcement officer may seize evidence that is visible to the officer in plain view and where the officer has probable cause to believe that it is associated with criminal activity

Question 31

Interview vs interrogation

Answer 31

Interview = seek to gather information to assist with your investigations

Interrogations = suspect the person speaking of involvement in a crime and intend to use the information gathered in court

Question 32

data integrity and retention techniques

Answer 32

Do not purge log files once incident has been detected

Implement remote logging to protect integrity of files

Administrators can use digital signatures to prove that log files were not tampered with after their initial capture

Question 33

FBI’s InfraGard program

Answer 33

great way to establish technical contracts with law enforcement – provides a forum for law enforcement and business security professionals to share information in a closed environment

Question 34

LOIC

Answer 34

LOIC = Low Orbit Ion Cannon = tool used by hacktivists such as Anonymous and LulzSec to create large-scale DoS attacks

Question 35

ISC2 Code of Ethics Canons

Answer 35

Protect society, the common good, necessary public trust and confidence and the infrastructure

Act honourably, honestly, justly, responsibly and legally

Provide diligent and competent service to principals

Advance and protect the profession

Question 36

RFC 1087

Answer 36

Statement by the Internet Architecture Board (IAB) on “Ethics and the Internet” from January, 1989, listing purposes deemed unacceptable and unethical:

Seeks to gain unauthorized access to the resources of the internet

Disrupts the intended use of the internet

Wastes resources (people, capacity, computer) through such actions

Destroys the integrity of computer-based information

Compromises the privacy of users

Question 37

Ten Commandments of Computer Ethics from the Computer Ethics Institute – Thou shalt:

Answer 37

Not use a computer to harm other people

Not interfere with other people’s computer work

Not snoop around in other people’s computer files

Not use a computer to steal

Not use a computer to bear false witness

Not copy proprietary software for which you have not paid

Not use other people’s computer resources without authorization or proper compensation

Not appropriate other people’s intellectual output

Think about the social consequences of the program you are writing or the system you are designing

Always use a computer in ways the ensure consideration and respect for your fellow humans

Question 38

Code of Fair Information Practices, developed by a government advisory committee in 1973

Answer 38

There must be no personal data record-keeping systems whose very existence is secret

There must be a way for a person to find out what information about the person is in a record and how it is used

There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent

There must be a way for a person to correct or amend a record of identifiable information about the person

Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent the misuses of the data