CISSP ch 19 Flashcards
EDRM
Electronic Discovery Reference Model – standard process for conducting eDiscovery:
Information governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
Information governance (EDRM)
Ensures that information is well organized for future eDiscovery efforts
Identification (EDRM)
Locates the information that may be responsive to a discovery request when the organization believes that litigation is likely
Preservation (EDRM)
Ensures that potentially discoverable information is protected against alteration or deletion
Collection (EDRM)
Gathers the relevant information centrally for use in the eDiscovery process
Processing (EDRM)
Screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring a detailed screening
Review (EDRM)
Examines the remaining information to determine what information is relevant to the request and removing any information protected by attorney-client privilege
Analysis (EDRM)
Performs deeper inspection of the content and context of remaining information
Production (EDRM)
Places the information into a format that may be shared with others and delivers it other parties, such as opposing counsel
Presentation (EDRM)
Displays the information to witnesses, the court and other parties
Artifacts
items of evidence that you maintain and may use in court, may include physical devices, logs and data generated by those devices
NIST SP 800-86
National Institute of Standards and Technology’s Guide to Integrating Forensic Techniques into Incident Response
Admissible evidence
Relevant, material and competent
Evidence must be relevant to determining a fact;
Fact that the evidence seeks to determine must be material (i.e., related) to the case; AND
Evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would inadmissible because it is not competent.
Real / object evidence
Things that may actually be brought into a court of law
Examples in criminal case: murder weapon, clothing or other physical objects
Examples in computer crime case: seized computer equipment, keyboard with fingerprints on it, hard drive from a malicious hacker’s computer system
Must be authenticated
Authentication of real/object evidence
Witness must identify an object as unique and unaltered
If not possible to identify an object as unique, chain of evidence / chain of custody must be established
Chain of evidence documents everyone who handles the evidence, including the police who originally collects it, the evidence technicians who process it, the lawyers who use it in court
Location of the evidence must be fully documented from the moment it was collected to the moment it appears in court
Requires thorough labelling of evidence and comprehensive logs, noting who had access to the evidence at specific times and the reasons they required such access
Each person who handles the evidence must sign the chain of custody log, indicating the time they took direct responsibility for the evidence and the time they handed it off to the next person in the chain of custody
Content of chain of custody label
General description of the evidence
Time and date the evidence was collected
Exact location the evidence was collected from
Name of the person collecting the evidence
Relevant circumstances surrounding the collection
Authentication of documentary evidence
E.g., if an attorney wants to introduce a computer log as evidence, they must bring a witness (e.g., a system administrator) into court to testify that the log was collected as a routine business practice and is indeed the actual log that the system collected
parole evidence rule
When an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement
business records exception to hearsay rule
Business records, such as the logs generated by a computer system, may be admitted as evidence if they were made at the time of the event by someone or something with direct knowledge, that they were kept in the course of regular business activity, and that keeping those records is a regular practice of the organization.
Business records can be authenticated / admitted by being accompanied by the testimony of an individual qualified to show that these criteria were met
demonstrative evidence
Evidence used to support testimonial evidence
Consists of items that may or may not be admitted into evidence themselves but are used to help a witness explain a concept or clarify an issue
E.g., a diagram explaining the contents of a network packet or showing the process used to conduct a distributed denial of service attack
Admissibility of demonstrative evidence is a matter left to the trial court with the general principle that demonstrative evidence must assist the jury in understanding a case
IOCE
International Organization on Computer Evidence
IOCE principles
Principles to guide digital evidence technicians as they perform media analysis, network analysis and software analysis in the pursuit of forensically recovered evidence:
All general forensic and procedural principles must be applied
Upon seizing digital evidence, actions taken should not change that evidence
When it is necessary for a person to access original digital evidence, that person should be trained for this purpose
All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review
An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession
Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles
Media analysis techniques
Recovery of deleted files from unallocated sectors of the physical disk
Live analysis of storage media connected to a computer system (especially useful when examining encrypted media
Static analysis of forensic images of storage media
Should never access hard drives or other media from a live system. Should power off the system, remove the storage device and then attach the storage device to a dedicated forensic workstation, using a write blocker.
After connecting the device to a live workstation, analyst should immediately calculate a cryptographic hash of the device contents and then use forensic tools to create a forensic image of the device: a bitwise copy of the data stored on the device
Analyst should then compute the cryptographic hash of that image to ensure that it is identical to the original media contents
Write blocker
hardware adapters that physically sever the portion of the cable used to connect the storage device that would write data to the device, reducing the likelihood of accidental tampering
in memory analysis
Can be difficult to work with memory to work with without actually altering its contents
When gathering the contents of memory, analysts should use trusted tools to generate a memory dump file and place it on a forensically prepared device, such as a USB drive.
Should compute a cryptographic hash of the dump file to later prove its authenticity
memory dump file
contains all contents collected from memory and may then be used for analysis
tools for network analysis
When collecting data directly from a network during a live analysis, forensic technicians should use
a SPAN port on a switch (mirrors data sent to one or more other ports) or
a network tap (a hardware device that performs the same function as a SPAN port)
both these approaches generate packet dumps without actually altering the network traffic
when not possible, analyst must run a software protocol analyzer on one of the communicating systems, but this approach is not as reliable as using a dedicated hardware device
NSRL
National Software Reference Library (NSRL) maintained by the National Institute of Standards and Technology includes the cryptographic hash values for over 130 million known applications, making it easier for forensic analysts to detect authentic and manipulated files
Scientific Working Group on Digital Evidence
a consortium of forensic analysts led by the US FBI – produces detailed guidance on gathering digital evidence from many different sources
Plain view seizure
law enforcement officer may seize evidence that is visible to the officer in plain view and where the officer has probable cause to believe that it is associated with criminal activity
Interview vs interrogation
Interview = seek to gather information to assist with your investigations
Interrogations = suspect the person speaking of involvement in a crime and intend to use the information gathered in court
data integrity and retention techniques
Do not purge log files once incident has been detected
Implement remote logging to protect integrity of files
Administrators can use digital signatures to prove that log files were not tampered with after their initial capture
FBI’s InfraGard program
great way to establish technical contracts with law enforcement – provides a forum for law enforcement and business security professionals to share information in a closed environment
LOIC
LOIC = Low Orbit Ion Cannon = tool used by hacktivists such as Anonymous and LulzSec to create large-scale DoS attacks
ISC2 Code of Ethics Canons
Protect society, the common good, necessary public trust and confidence and the infrastructure
Act honourably, honestly, justly, responsibly and legally
Provide diligent and competent service to principals
Advance and protect the profession
RFC 1087
Statement by the Internet Architecture Board (IAB) on “Ethics and the Internet” from January, 1989, listing purposes deemed unacceptable and unethical:
Seeks to gain unauthorized access to the resources of the internet
Disrupts the intended use of the internet
Wastes resources (people, capacity, computer) through such actions
Destroys the integrity of computer-based information
Compromises the privacy of users
Ten Commandments of Computer Ethics from the Computer Ethics Institute – Thou shalt:
Not use a computer to harm other people
Not interfere with other people’s computer work
Not snoop around in other people’s computer files
Not use a computer to steal
Not use a computer to bear false witness
Not copy proprietary software for which you have not paid
Not use other people’s computer resources without authorization or proper compensation
Not appropriate other people’s intellectual output
Think about the social consequences of the program you are writing or the system you are designing
Always use a computer in ways the ensure consideration and respect for your fellow humans
Code of Fair Information Practices, developed by a government advisory committee in 1973
There must be no personal data record-keeping systems whose very existence is secret
There must be a way for a person to find out what information about the person is in a record and how it is used
There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent
There must be a way for a person to correct or amend a record of identifiable information about the person
Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent the misuses of the data