Domain 7: Security Operations Flashcards
Evidence Types
- Real
- Demonstrative
- Documentary
- Testimonial
Real Evidence
Objects and things a jury can physically hold and inspect.
- To be used at trial, real evidence must be relevant, material, and authentic.
- MUST establish the item’s chain of custody.
Demonstrative Evidence
Usually charts and diagrams, to demonstrate or illustrate the testimony of a witness. It’s admissible when it fairly and accurately reflects the witness’s testimony and is more probative than prejudicial.
Documentary Evidence
The production of documents at trial is documentary evidence.
- There are restrictions and qualifications for using documents at trial as there is a need to make sure they are authentic and trustworthy.
Testimonial Evidence
It is simply a witness giving testimony under oath about the facts of the case.
Requirements for Admissibility of Evidence
- Accuracy – lacking errors
- Authenticity - undisputed origin
- Comprehensibility – paint as much of the picture as possible
- Convincing – certainty in conclusions
- Objective – what the evidence says, not what you say
- Admissible – for the court in question
Investigative Techniques
o Data capture – manual and automatic capture.
o Interviews – ideally from someone who was a witness to an incident or a person with first-hand knowledge of the incident.
o Interrogations – usually done by law enforcement following stringent rules.
o External requests – usually warrants and subpoenas.
Write Blockers and Image Drivers
Designed to allow examination or imaging of a storage device, typically a hard drive, without writing any data to the storage device, which would violate the integrity of the evidence.
Faraday Containers
Protects evidence from electromagnetic interference.
Digital Forensic 6 Steps
- Define priorities
- Identify data sources
- Plan to collect data and execute
- Document and preserve integrity
- Look for hidden or erased data
- Perform analysis
Recovery time objective (RTO)
The amount of time after an incident or disaster that passes before the system or process is recovered using contingency procedures.
Recovery point objective (RPO)
The amount of data loss tolerable when a disaster occurs, usually expressed as a number of transactions or data points. RPO can also be expressed using time, like an RPO of no more than one day of data.
Test-Driven Development (TDD)
First a test is written, then it is run. If it fails, code is written or refactored as needed to make the test succeed; the ultimate goal is to ensure that all tests pass.
Maximum tolerable or allowable downtime (MTD or MAD)
The amount of time the organization can survive without an asset or process, after which the organization may no longer be viable. RTO should always be less than the MTD; otherwise, recovery is a moot point as the organization will cease to function before it occurs.
3-2-1 Backup Strategy
At least three copies of data should be kept: two stored locally or onsite, including the main copy of the data, and one copy stored offsite.
RAID (Redundant Array of Inexpensive Disk)
Pooling multiple disks, which may be cheaper than a single disk of equivalent size, to provide benefits of increased space, increased read/write speeds, data fault tolerance, or some combination of all three.
RAID 0
Striped disk array with no fault tolerance; the primary benefit is increased read/write performance.
RAID 1
Mirrored array that provides fault tolerance, but no read/write performance benefit.
RAID 5
Striping with a parity array, which increases read/write performance and provides fault tolerance.
RAID 0+1 and 1+0
Nested RAIDs that implement both functions of RAID 0 and 1 in different orders. 0+1 is a striped array of mirrors while 1+0 is a mirrored array of stripes. Both combine fault tolerance with increased performance.
Recovery Cold Site
An empty facility that must be provisioned with equipment and utilities before being useful, which takes time and does not support a short RTO, but it also does not incur the high costs of duplicate infrastructure before an incident.
Recovery Warm Site
Have some equipment but also require some buildout.
Recovery Hot Site
The same infrastructure and data as the primary site, which is costly but useful for meeting a short RTO or RPO.
Cloud Bursting Recovery
A relatively new recovery strategy that utilizes cloud services temporarily in the event of a disaster.
Disaster Recovery Testing Methods (5)
- Read-through/Tabletop
- Walkthrough
- Simulation
- Parallel
- Full Interruption