CISSP ch 19 Flashcards
(38 cards)
EDRM
Electronic Discovery Reference Model – standard process for conducting eDiscovery:
Information governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
Information governance (EDRM)
Ensures that information is well organized for future eDiscovery efforts
Identification (EDRM)
Locates the information that may be responsive to a discovery request when the organization believes that litigation is likely
Preservation (EDRM)
Ensures that potentially discoverable information is protected against alteration or deletion
Collection (EDRM)
Gathers the relevant information centrally for use in the eDiscovery process
Processing (EDRM)
Screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring a detailed screening
Review (EDRM)
Examines the remaining information to determine what information is relevant to the request and removing any information protected by attorney-client privilege
Analysis (EDRM)
Performs deeper inspection of the content and context of remaining information
Production (EDRM)
Places the information into a format that may be shared with others and delivers it other parties, such as opposing counsel
Presentation (EDRM)
Displays the information to witnesses, the court and other parties
Artifacts
items of evidence that you maintain and may use in court, may include physical devices, logs and data generated by those devices
NIST SP 800-86
National Institute of Standards and Technology’s Guide to Integrating Forensic Techniques into Incident Response
Admissible evidence
Relevant, material and competent
Evidence must be relevant to determining a fact;
Fact that the evidence seeks to determine must be material (i.e., related) to the case; AND
Evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would inadmissible because it is not competent.
Real / object evidence
Things that may actually be brought into a court of law
Examples in criminal case: murder weapon, clothing or other physical objects
Examples in computer crime case: seized computer equipment, keyboard with fingerprints on it, hard drive from a malicious hacker’s computer system
Must be authenticated
Authentication of real/object evidence
Witness must identify an object as unique and unaltered
If not possible to identify an object as unique, chain of evidence / chain of custody must be established
Chain of evidence documents everyone who handles the evidence, including the police who originally collects it, the evidence technicians who process it, the lawyers who use it in court
Location of the evidence must be fully documented from the moment it was collected to the moment it appears in court
Requires thorough labelling of evidence and comprehensive logs, noting who had access to the evidence at specific times and the reasons they required such access
Each person who handles the evidence must sign the chain of custody log, indicating the time they took direct responsibility for the evidence and the time they handed it off to the next person in the chain of custody
Content of chain of custody label
General description of the evidence
Time and date the evidence was collected
Exact location the evidence was collected from
Name of the person collecting the evidence
Relevant circumstances surrounding the collection
Authentication of documentary evidence
E.g., if an attorney wants to introduce a computer log as evidence, they must bring a witness (e.g., a system administrator) into court to testify that the log was collected as a routine business practice and is indeed the actual log that the system collected
parole evidence rule
When an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement
business records exception to hearsay rule
Business records, such as the logs generated by a computer system, may be admitted as evidence if they were made at the time of the event by someone or something with direct knowledge, that they were kept in the course of regular business activity, and that keeping those records is a regular practice of the organization.
Business records can be authenticated / admitted by being accompanied by the testimony of an individual qualified to show that these criteria were met
demonstrative evidence
Evidence used to support testimonial evidence
Consists of items that may or may not be admitted into evidence themselves but are used to help a witness explain a concept or clarify an issue
E.g., a diagram explaining the contents of a network packet or showing the process used to conduct a distributed denial of service attack
Admissibility of demonstrative evidence is a matter left to the trial court with the general principle that demonstrative evidence must assist the jury in understanding a case
IOCE
International Organization on Computer Evidence
IOCE principles
Principles to guide digital evidence technicians as they perform media analysis, network analysis and software analysis in the pursuit of forensically recovered evidence:
All general forensic and procedural principles must be applied
Upon seizing digital evidence, actions taken should not change that evidence
When it is necessary for a person to access original digital evidence, that person should be trained for this purpose
All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review
An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession
Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles
Media analysis techniques
Recovery of deleted files from unallocated sectors of the physical disk
Live analysis of storage media connected to a computer system (especially useful when examining encrypted media
Static analysis of forensic images of storage media
Should never access hard drives or other media from a live system. Should power off the system, remove the storage device and then attach the storage device to a dedicated forensic workstation, using a write blocker.
After connecting the device to a live workstation, analyst should immediately calculate a cryptographic hash of the device contents and then use forensic tools to create a forensic image of the device: a bitwise copy of the data stored on the device
Analyst should then compute the cryptographic hash of that image to ensure that it is identical to the original media contents
Write blocker
hardware adapters that physically sever the portion of the cable used to connect the storage device that would write data to the device, reducing the likelihood of accidental tampering
