Domain 7: Security Operations Flashcards
Evidence Types
- Real
- Demonstrative
- Documentary
- Testimonial
Real Evidence
Objects and things a jury can physically hold and inspect.
- To be used at trial, real evidence must be relevant, material, and authentic.
- MUST establish the item’s chain of custody.
Demonstrative Evidence
Usually charts and diagrams, to demonstrate or illustrate the testimony of a witness. It’s admissible when it fairly and accurately reflects the witness’s testimony and is more probative than prejudicial.
Documentary Evidence
The production of documents at trial is documentary evidence.
- There are restrictions and qualifications for using documents at trial as there is a need to make sure they are authentic and trustworthy.
Testimonial Evidence
It is simply a witness giving testimony under oath about the facts of the case.
Requirements for Admissibility of Evidence
- Accuracy – lacking errors
- Authenticity - undisputed origin
- Comprehensibility – paint as much of the picture as possible
- Convincing – certainty in conclusions
- Objective – what the evidence says, not what you say
- Admissible – for the court in question
Investigative Techniques
o Data capture – manual and automatic capture.
o Interviews – ideally from someone who was a witness to an incident or a person with first-hand knowledge of the incident.
o Interrogations – usually done by law enforcement following stringent rules.
o External requests – usually warrants and subpoenas.
Write Blockers and Image Drivers
Designed to allow examination or imaging of a storage device, typically a hard drive, without writing any data to the storage device, which would violate the integrity of the evidence.
Faraday Containers
Protects evidence from electromagnetic interference.
Digital Forensic 6 Steps
- Define priorities
- Identify data sources
- Plan to collect data and execute
- Document and preserve integrity
- Look for hidden or erased data
- Perform analysis
Recovery time objective (RTO)
The amount of time after an incident or disaster that passes before the system or process is recovered using contingency procedures.
Recovery point objective (RPO)
The amount of data loss tolerable when a disaster occurs, usually expressed as a number of transactions or data points. RPO can also be expressed using time, like an RPO of no more than one day of data.
Test-Driven Development (TDD)
First a test is written, then it is run. If it fails, code is written or refactored as needed to make the test succeed; the ultimate goal is to ensure that all tests pass.
Maximum tolerable or allowable downtime (MTD or MAD)
The amount of time the organization can survive without an asset or process, after which the organization may no longer be viable. RTO should always be less than the MTD; otherwise, recovery is a moot point as the organization will cease to function before it occurs.
3-2-1 Backup Strategy
At least three copies of data should be kept: two stored locally or onsite, including the main copy of the data, and one copy stored offsite.
