Domain 7. Chapter 19

Question 1

Chapter 19 Investigations and Ethics
1. Investigation Types
2. Evidence
3. Investigation Process
4. Major Categories of Computer Crime
5. (ISC)2 Code of Ethics

Question 2

1. Investigation Types
   1.1 Administrative Investigations
   Administrative investigations are internal investigations that examine either operational issues or a violations of the organization’s policies. They may be conducted as part of a technical troubleshooting effort or in support of other administrative processes, such as human resources disciplinary procedures.
   Root cause analysis seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future.

Question 3

1.2 Criminal Investigations
Criminal investigations, typically conducted by law enforcement personnel, investigate the alleged violation of criminal law. Уголовные расследования, обычно проводимые сотрудниками правоохранительных органов, направлены на расследование предполагаемого нарушения уголовного закона. Criminal investigations may result in charging suspects подозреваемым with a crime and the prosecution of those charges in criminal court.

Beyond a reasonable doubt standard of evidence. Following this standard, the prosecution must demonstrate that the defendant committed the crime by presenting facts from which there are no other logical conclusions.

Question 4

1.3 Civil Investigations
Civil investigations typically do not involve law enforcement but rather involve internal employees and outside consultants working on behalf of a legal team. They prepare the evidence necessary to present a case in civil court resolving a dispute between two parties.

The preponderance of the evidence standard перевес доказательств. Meeting this standard simply requires that the evidence demonstrate that the outcome of the case is more likely than not.

Question 5

1.4 Regulatory Investigations
Government agencies may conduct regulatory investigations when they believe that an individual or corporation has violated administrative law.
Regulators typically conduct these investigations with a standard of proof commensurate соразмерный with the venue where they expect to try their case. Regulatory investigations vary widely in scope and procedure and are often conducted by government agents. Регулирующие органы обычно проводят такие расследования, используя стандарты доказывания, соответствующие месту рассмотрения дела. Расследования регулирующих органов сильно различаются по объему и процедурам и часто проводятся государственными агентами. Regulatory investigations vary widely in scope and procedure and are often conducted by government agents.

Question 6

1.5 Industry Standards
PCI DSS. They do not involve government agencies.
Some regulatory investigations may not involve government agencies. These are based on industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS). These industry standards are not laws but are contractual obligations entered into by the participating organizations. In some cases, including PCI DSS, the organization may be required to submit to audits, assessments, and investigations conducted by an independent third party. Failure to participate in these investigations or negative investigation results may lead to fines or other sanctions. Therefore, investigations into violations of industry standards should be treated in a similar manner as regulatory investigations.

Question 7

1.6 Electronic Discovery
In legal proceedings, each side has a duty to preserve evidence related to the case and, through the discovery process, share information with their adversary in the proceedings. В ходе судебного разбирательства каждая сторона обязана сохранять доказательства, относящиеся к делу, и в процессе их обнаружения делиться информацией со своим противником в ходе разбирательства.
This discovery process applies to both paper records and electronic records, and the electronic discovery (or eDiscovery) process facilitates the processing of electronic information for disclosure. Этот процесс обнаружения применяется как к бумажным записям, так и к электронным записям, а процесс электронного обнаружения (или электронного открытия) облегчает обработку электронной информации для раскрытия.

The Electronic Discovery Reference Model (EDRM) describes a standard process for conducting eDiscovery with nine aspects:
- Information Governance. Ensures that information is well organized for future eDiscovery efforts.
- Identification. Locates the information that may be responsive to a discovery request when the organization believes that litigation is likely.
- Preservation. Ensures that potentially discoverable information is protected against alteration or deletion.
- Collection. Gathers the relevant information centrally for use in the eDiscovery process.
- Processing. Screens the collected information to perform a “rough cut” «черновой обработки» of irrelevant information, reducing the amount of information requiring detailed screening.
- Review. Examines the remaining information to determine what information is relevant to the request and removing any information protected by attorney-client privilege адвокатско-клиентская тайна.
- Analysis. Performs deeper inspection of the content and context of remaining information.
- Production. Places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel адвокат противной стороны.
- Presentation. Displays the information to witnesses, the court, and other parties.

Question 8

2. Evidence
   To successfully prosecute a crime, the prosecuting attorneys прокуроры must provide sufficient evidence to prove an individual’s guilt beyond a reasonable doubt.
   The requirements that evidence must meet before it is allowed in court, the various types of evidence that may be introduced, and the requirements for handling and documenting evidence.
   Artifacts - smth you have for court: physical devices, such as computers, mobile devices, and network devices, the logs and data generated by those devices, and many other forms of evidence.

Question 9

2.1 Admissible Evidence Допустимые доказательства
To be considered admissible evidence, it must meet all three of these requirements, as determined by a judge судьей , prior to being discussed in open court открытом судебном заседании:
- The evidence must be relevant to determining a fact.
- The fact that the evidence seeks to determine must be material (that is, related) to the case. Тот факт, что доказательства призваны установить, должен быть существенным (то есть иметь отношение) к делу.
- The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

Question 10

2.2 Types of Evidence
- Real Evidence Реальные доказательства
A keyboard with fingerprints on it or a hard drive from a malicious hacker’s computer system. Conclusive evidence ( like DNA is incontrovertible неоспоримое)
- Documentary Evidence Документальные доказательства. Any written items brought into court to prove a fact at hand.
A computer log as evidence, they must bring a witness свидетеля (for example, the system administrator) into court to testify который засвидетельствует that the log was collected as a routine business practice and is indeed действительно the actual log that the system collected.

Two additional evidence rules apply specifically to documentary evidence:
* The best evidence rule - when a document is used as evidence in a court proceeding, the original document must be introduced.
* The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements никакие устные соглашения may modify the written agreement.
- Testimonial Evidence Свидетельские доказательства
is, quite simply, evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.
Witnesses can offer direct evidence: oral testimony that proves or disproves a claim based on their own direct observation. In that case, the witness may offer an expert opinion based on the other facts presented and their personal knowledge of the field.

• Demonstrative Evidence Демонстративные доказательства is evidence used to support testimonial evidence. It consists of items that may or may not be admitted into evidence themselves but are used to help a witness explain a concept or clarify an issue. For example, demonstrative evidence might include a diagram explaining the contents of a network packet or showing the process used to conduct a distributed denial of service attack.

Question 11

2.3 Artifacts, Evidence Collection, and Forensic Procedures Судебно-медицинские процедуры
Collecting digital evidence is a tricky process and should be attempted only by professional forensic technicians эксперты.
The International Organization on Computer Evidence (IOCE) outlines six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:
- When dealing with digital evidence, all of the general forensic and procedural principles must be applied. При работе с цифровыми доказательствами необходимо применять все общие судебно-медицинские и процессуальные принципы.
- Upon seizing При изъятии digital evidence, actions taken should not change that evidence.
- When it is necessary for a person to access original digital evidence, that person should be trained for this purpose.
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
- An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
- Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

Question 12

2.4 Type of Analysis
Therefore, when analyzing digital evidence, it’s best to work with a copy of the actual evidence whenever possible.

Question 13

2.4.1 Media Analysis Media analysis, a branch of computer forensic analysis, involves the identification and extraction of information from storage media. This may include magnetic media (e.g., hard disks, tapes) or optical media (e.g., CDs, DVDs, Blu-ray discs).
1) Gathering information from storage devices (the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.)
2) Then analysts should never access hard drives or other media from a live system. Instead, he should power off the system. Remove the storage device, and then attach the storage device to a dedicated forensic workstation, using a write blocker.
3) After connecting the device to a live workstation, the analyst should immediately calculate a cryptographic hash of the device contents and then use forensic tools to create a forensic image of the device.
4) The analyst should then compute the cryptographic hash of that image to ensure that it is identical to the original media contents.
5) After creating and verifying a forensic image, the original image file should be preserved as evidence. Analysts should create copies of that image (verifying the integrity of the hash) and then use those images for any analysis.

Question 14

2.4.2 In-Memory Analysis
Investigators often wish to collect information from the memory of live systems. This is a tricky undertaking, since it can be difficult to work with memory without actually altering its contents. When gathering the contents of memory, analysts should use trusted tools to generate a memory dump file and place it on a forensically prepared device, such as a USB drive.

Question 15

2.4.3 Network Analysis
Forensic investigators are also often interested in the activity that took place over the network during a security incident. This is often difficult to reconstruct due to the volatility of network data.

Network forensic analysis, therefore, often depends on either prior knowledge that an incident is under way or the use of preexisting security controls that log network activity. These include:
- Intrusion detection and prevention system logs
- Network flow data captured by a flow monitoring system
- Packet captures deliberately collected during an incident
- Logs from firewalls and other network security devices

After collecting network packets, they should be treated in the same manner as any other digital evidence. The tools creating the packet capture should write them to forensically prepared media. Analysts should compute cryptographic hashes of the original evidence files and work only with copies of those original files.

Question 16

2.4.4 Software Analysis Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application.
In other cases, forensic analysts may be asked to review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

Question 17

2.4.5 Hardware/Embedded Device Analysis
Finally, forensic analysts often must review the contents of hardware and embedded devices. This may include a review of:
- Personal computers
- Smartphones
- Tablet computers
- Embedded computers in cars, security systems, and other devices

Question 18

3. Investigation Process
   3.1 Gathering Evidence
   It is common to confiscate equipment, software, or data to perform a proper investigation.
   1) First, the person who owns the evidence could voluntarily surrender добровольно сдаться it or grant consent to a search. This method is generally appropriate only when the attacker is not the owner. Few guilty parties willingly surrender evidence they know will incriminate them.
   2) Second, you could get a court to issue a subpoena, or court order, that compels an individual or organization to surrender evidence, and then have the subpoena served by law enforcement. Во-вторых, вы можете заставить суд выдать повестку в суд или постановление суда, обязывающее человека или организацию сдать доказательства, а затем вручить повестку правоохранительным органам.
   3) Third, a law enforcement officer performing a legally permissible duty may seize evidence that is visible to the officer in plain view and where the officer has probable cause to believe that it is associated with criminal activity. This is known as the plain view doctrine. В-третьих, сотрудник правоохранительных органов, выполняющий законную обязанность, может изымать доказательства, которые видны ему на виду и если у сотрудника есть веские основания полагать, что они связаны с преступной деятельностью. Это известно как доктрина простого взгляда.
   4) The fourth option is a search warrant. ордер на обыск.This option should be used only when you must have access to evidence without tipping off уведомления the evidence’s owner or other personnel. You must have a strong suspicion with credible reasoning to convince a judge to pursue this course of action.
   5)Finally, a law enforcement officer may collect evidence when exigent circumstances неотложных обстоятельств exist. This means that a reasonable person would believe that the evidence would be destroyed if not immediately collected or that another emergency exists, such as the risk of physical harm.
   When conducting searches in the workplace, an important consideration is whether the employee has a reasonable expectation of privacy. Outside of government workplaces, most jurisdictions have laws or precedents that state that employees do not have an expectation of privacy under most workplace situations.

Question 19

3.2 Calling in Law Enforcement
One of the first decisions that must be made in an investigation is whether law enforcement authorities should be called in. Одним из первых решений, которые необходимо принять в ходе расследования, является вопрос о необходимости привлечения правоохранительных органов.
On the other hand, two major factors may cause a company to shy away from calling in the authorities.
1) The investigation will more than likely become public and may embarrass the company.
2) Law enforcement authorities are bound to conduct an investigation that complies with the Fourth Amendment and other legal requirements that may not apply if the organization conducted its own private investigation.

Question 20

3.3 Conducting the Investigation
If you elect not to call in law enforcement, you should still attempt to abide by the principles of a sound investigation to ensure the accuracy and fairness of your inquiry. It is important to remember a few key principles:
- Never conduct your investigation on an actual system that was compromised. Take the system offline, make a backup, and use the backup to investigate the incident.
- Never attempt to “hack back” and avenge a crime. You may inadvertently attack an innocent third party and find yourself liable for computer crime charges.
- If in doubt, call in expert assistance. If you don’t want to call in law enforcement, contact a private investigations firm with specific experience in the field of computer security investigations.

Question 21

3.5 Data Integrity and Retention
No matter how persuasive evidence may be, it can be thrown out of court if you somehow alter it during the evidence collection process. Make sure you can prove that you maintained the integrity of all evidence.
Carefully consider the fate of log files or other possible evidence locations. A simple archiving policy can help ensure that key evidence is available upon demand no matter how long ago the incident occurred.

Question 21

3.4 Interviewing Individuals
During the course of an investigation, you may find it necessary to speak with individuals who might have information relevant to your investigation. If you seek only to gather information to assist with your investigation, this is called an interview. If you suspect the person of involvement in a crime and intend to use the information gathered in court, this is called an interrogation.допросом.

Question 22

3.6 Reporting and Documenting Investigations
Every investigation you conduct should result in a final report that documents the goals of the investigation, the procedures followed, the evidence collected, and the final results of the investigation.
Preparing formal documentation is important because it lays the foundation for escalation and potential legal action. You may not know when an investigation begins (or even after it concludes) that it will be the subject of legal action, but you should prepare for that eventuality.
It’s a good idea to establish a relationship with your corporate legal personnel and the appropriate law enforcement agencies.

Question 22

4.1 Military and Intelligence Attacks Военные и разведывательные атаки
Military and intelligence attacks are launched primarily to obtain secret and restricted information from law enforcement or military and technological research sources.
An attacker may be looking for the following kinds of information:
- Military descriptive information of any type, including deployment information, readiness information, and order of battle plans
- Secret intelligence gathered for military or law enforcement purposes
- Descriptions and storage locations of evidence obtained in a criminal investigation
- Any secret information that could be used in a later attack

Question 22

4. Major Categories of Computer Crime
   A computer crime is a crime (or violation of a law or regulation) that involves a computer. The crime could be against the computer, or the computer could have been used in the actual commission of the crime. Each of the categories of computer crimes represents the purpose of an attack and its intended result.
   Any individual who violates one or more of your security policies is considered to be an attacker.

Question 23

4.2 Business Attacks
Business attacks focus on illegally jeopardizing угрозу the confidentiality, integrity, or availability of information and systems operated by a business.
The gathering of a competitor’s confidential intellectual property, also called corporate espionage or industrial espionage.

Question 24

4.3 Financial attacks
Financial attacks are carried out to unlawfully obtain money or services. They are the type of computer crime you most commonly hear about in the news. The goal of a financial attack could be to steal credit card numbers, increase the balance in a bank account, or obtain fraudulent funds transfers.
Financial attacks may also take the form of cybercrime for hire, where the attacker engages in mercenary activity, conducting cyberattacks against targets for their clients.

Question 25

4.4 Terrorist Attacks
The purpose of a terrorist attack is to disrupt normal life and instill fear, whereas a military or intelligence attack is designed to extract secret information.
Possible targets of a computer terrorist attack could be systems that regulate power plants or control telecommunications or power distribution.

Question 26

4.5 Grudge Attacks Атаки обиды
Grudge attacks are attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person’s reputation. The motivation behind a grudge attack is usually a feeling of resentment обида, and the attacker could be a current or former employee or someone who wishes ill will upon an organization

Question 27

4.6 Thrill Attacks Атаки с острыми ощущениями
Thrill attacks are the attacks launched only for the fun of it. Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. These attackers are often called script kiddies because they run only other people’s programs, or scripts, to launch an attack.

Question 28

4.7 Hacktivists Хактивист
Recently, the world has seen a rise in the field of “hacktivism.” These attackers, known as hacktivists (a combination of hacker and activist), often combine political motivations with the thrill of hacking.

Question 29

5. Ethics
   Rules of ethics. They are the moral codes and rules of personal behavior that guide our day-to-day activities in any realm.

Question 30

5.1 Organizational Code of Ethics
Almost every organization has its own code of ethics that is published to employees to help guide their everyday work.
The U.S. government has a Code of Ethics for Government Service that is written into federal law.

Question 31

5.2 (ISC)2 Code of Ethics
The (ISC)2 Code of Ethics was developed to provide the basis for CISSP behavior.

Code of Ethics Preamble
The Code of Ethics preamble is as follows:

The safety and welfare благополучие of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.

Answer 31

Кодекс этики Преамбула Преамбула Кодекса этики следующая: Безопасность и благополучие общества, а также общее благо, долг перед нашими руководителями и друг перед другом требуют, чтобы мы придерживались и считались соблюдающими самые высокие этические стандарты поведения. Поэтому строгое соблюдение настоящего Кодекса является условием сертификации.

Question 32

5.3 Code of Ethics Canons
1) Protect society, the common good, necessary public trust and confidence, and the infrastructure. Security professionals have great social responsibility. We are charged with the burden бремя of ensuring that our actions benefit the common good.
2) Act honorably, honestly, justly, responsibly, and legally. Integrity is essential to the conduct of our duties. We cannot carry out our duties effectively if others within our organization, the security community, or the general public have doubts about the accuracy of the guidance we provide or the motives behind our actions.
3) Provide diligent and competent service to principals. Although we have responsibilities to society as a whole, we also have specific responsibilities to those who have hired us to protect their infrastructure. We must ensure that we are in a position to provide unbiased, competent service to our organization.
4) Advance and protect the profession. Our chosen profession changes on a continuous basis. As security professionals, we must ensure that our knowledge remains current and that we contribute our own knowledge to the community’s common body of knowledge.

Answer 32

1) Защищайте общество, общее благо, необходимое общественное доверие и уверенность, а также инфраструктуру. На специалистах по безопасности лежит большая социальная ответственность. На нас лежит бремя обеспечения того, чтобы наши действия приносили пользу общему благу.
2) Поступайте честно, честно, справедливо, ответственно и законно. Честность необходима для выполнения наших обязанностей. Мы не сможем эффективно выполнять свои обязанности, если другие члены нашей организации, сообщество безопасности или широкая общественность сомневаются в точности предоставляемых нами указаний или мотивах наших действий.
3) Обеспечивать добросовестное и компетентное обслуживание руководителей. Хотя у нас есть обязанности перед обществом в целом, у нас также есть о обые обязанности перед теми, кто нанял нас для защиты своей инфраструктуры. Мы должны гарантировать, что можем предоставлять беспристрастное и компетентное обслуживание нашей организации.
4) Развивайте и защищайте профессию. Выбранная нами профессия постоянно меняется. Как профессионалы в области безопасности, мы должны следить за тем, чтобы наши знания оставались актуальными, и чтобы мы вносили свои собственные знания в общий массив знаний сообщества.

Question 33

5.4 Code of Ethics Complaints
(ISC)2 members who encounter a potential violation of the Code of Ethics may report the possible violation to (ISC)2 for investigation by filing a formal ethics complaint.
Complaints are only accepted from those who believe they have been injured by the alleged предполагаемый behavior.

This personal injury provides standing to file a complaint дает право подать жалобу and is determined based on the canon involved:

• Any member of the general public may file a complaint подать жалобу involving canons I or II.
• Only an employer or someone with a contracting relationship with the individual may file a complaint under canon III.
• Other professionals may file a complaint under canon IV. It is important to note that this is not limited to cybersecurity professionals. Anyone who is certified or licensed as a professional and subscribes to a code of ethics as part of that licensure or certification is eligible to file a canon IV complaint.

Answer 33

• Любой представитель общественности может подать жалобу, касающуюся канонов I или II.
• Только работодатель или лицо, находящееся в договорных отношениях с данным лицом, может подать жалобу в соответствии с каноном III.
• Другие специалисты могут подать жалобу в соответствии с каноном IV. Важно отметить, что это касается не только специалистов по кибербезопасности. Любой, кто сертифицирован или имеет профессиональную лицензию и соблюдает этический кодекс в рамках этой лицензии или сертификации, имеет право подать жалобу по канону IV.

Question 34

5.5 Ethics and the Internet
Internet Architecture Board (IAB)
RFC 1087 states that any activity with the following purposes is unacceptable and unethical:
- Seeks to gain unauthorized access to the resources of the internet
- Disrupts the intended use of the internet
- Wastes resources (people, capacity, computer) through such actions
- Destroys the integrity of computer-based information
- Compromises the privacy of users

Question 35

5.6 Ten Commandments of Computer Ethics Десять заповедей компьютерной этики
The Computer Ethics Institute created its own code of ethics.
The Ten Commandments of Computer Ethics are as follows:
- Thou shalt not use a computer to harm other people.
- Thou shalt not interfere with other people’s computer work.
- Thou shalt not snoop around in other people’s computer files.
- Thou shalt not use a computer to steal.
- Thou shalt not use a computer to bear false witness.
- Thou shalt not copy proprietary software for which you have not paid.
- Thou shalt not use other people’s computer resources without authorization or proper compensation.
- Thou shalt not appropriate other people’s intellectual output.
- Thou shalt think about the social consequences of the program you are writing or the system you are designing.
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Answer 35

Десять заповедей компьютерной этики заключаются в следующем:
- Вы не должны использовать компьютер во вред другим людям.
- Вы не должны мешать работе других людей на компьютере.
- Вы не должны копаться в компьютерных файлах других людей.
- Вы не должны использовать компьютер для кражи.
- Ты не должен использовать компьютер для лжесвидетельства.
- Вы не должны копировать проприетарное программное обеспечение, за которое вы не заплатили.
- Вы не должны использовать компьютерные ресурсы других людей без разрешения или надлежащего вознаграждения.
- Вы не должны присваивать интеллектуальные результаты других людей.
- Вы должны подумать о социальных последствиях программы, которую вы пишете, или системы, которую вы проектируете.
- Вы всегда должны использовать компьютер таким образом, чтобы обеспечить внимание и уважение к своим собратьям.

Question 36

5.7 Code of Fair Information Practices
Another formative document that guides many ethical decision-making efforts is the Code of Fair Information Practices, developed by a government advisory committee in 1973. This code outlines five principles for handling personal information in an ethical and responsible manner:
- There must be no personal data record-keeping systems whose very existence is secret.
- There must be a way for a person to find out what information about the person is in a record and how it is used.
- There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent.
- There must be a way for a person to correct or amend a record of identifiable information about the person.
Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.

Answer 36

Еще одним формирующим документом, который направляет многие усилия по принятию этических решений, является Кодекс добросовестной информационной практики, разработанный правительственным консультативным комитетом в 1973 году. В этом кодексе изложены пять принципов этического и ответственного обращения с личной информацией:
- Не должно быть систем учета персональных данных, само существование которых является тайной.
- У человека должен быть способ узнать, какая информация о человеке содержится в записи и как она используется.
- У человека должен быть способ предотвратить использование или предоставление информации о человеке, полученной для одной цели, для других целей без согласия человека.
- У человека должна быть возможность исправить или изменить запись идентифицирующей информации о человеке.
- Любая организация, создающая, поддерживающая, использующая или распространяющая записи идентифицируемых персональных данных, должна гарантировать надежность данных для их предполагаемого использования и должна принимать меры предосторожности для предотвращения неправильного использования данных.