Security Operations: Examine Digital-forensics Activities Flashcards
What are the components of the digital-forensics process?
Legal hold
Chain of Custody
Acquisition
Reporting
Preservation
E-Discovery
What is legal hold?
Legal hold: A formal and legally mandated process that ensures electronic data and evidence are preserved and can’t be altered, deleted, or destroyed during the course of an investigation or pending legal action.
What is Chain of Custody?
Chain of custody: A documented and unbroken record of the chronological handling, transfer, and control of digital evidence from the moment of collection to its presentation in court, ensuring its integrity and admissibility.
What is Acquisition?
Acquisition: The process of collecting, copying, or extracting data from digital devices or sources in a forensically sound and legally admissible manner for analysis and investigation purposes.
What is reporting?
Reporting: Creation of comprehensive and well-documented information of a digital investigation, to ensure transparency and clarity in presenting the results of the analysis. It should detail:
The methods.
Findings.
Conclusions.
What is Preservation?
Preservation: The act of safeguarding digital evidence and maintaining its integrity to ensure that it remains unaltered and admissible for investigative and legal purposes. Examples include:
Write protection mechanisms to prevent modifications to the original data.
Secure storage in a physically controlled environment.
Hashing, which applies a cryptographic function to process hash values to validate data integrity.
Legal compliance, which ensures all processes are followed according to legal requirements.
What is E-discovery?
E-discovery: The process of identifying, collecting, and preserving electronically stored information (ESI) as potential evidence in legal cases or investigations. Examples include:
Emails.
Documents.
Databases.
SMS and MMS messages.
Instant messages (IMs).