Domain 7. Chapter 19 Flashcards
(39 cards)
Chapter 19 Investigations and Ethics
1. Investigation Types
2. Evidence
3. Investigation Process
4. Major Categories of Computer Crime
5. (ISC)2 Code of Ethics
- Investigation Types
1.1 Administrative Investigations
Administrative investigations are internal investigations that examine either operational issues or a violations of the organization’s policies. They may be conducted as part of a technical troubleshooting effort or in support of other administrative processes, such as human resources disciplinary procedures.
Root cause analysis seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future.
1.2 Criminal Investigations
Criminal investigations, typically conducted by law enforcement personnel, investigate the alleged violation of criminal law. Уголовные расследования, обычно проводимые сотрудниками правоохранительных органов, направлены на расследование предполагаемого нарушения уголовного закона. Criminal investigations may result in charging suspects подозреваемым with a crime and the prosecution of those charges in criminal court.
Beyond a reasonable doubt standard of evidence. Following this standard, the prosecution must demonstrate that the defendant committed the crime by presenting facts from which there are no other logical conclusions.
1.3 Civil Investigations
Civil investigations typically do not involve law enforcement but rather involve internal employees and outside consultants working on behalf of a legal team. They prepare the evidence necessary to present a case in civil court resolving a dispute between two parties.
The preponderance of the evidence standard перевес доказательств. Meeting this standard simply requires that the evidence demonstrate that the outcome of the case is more likely than not.
1.4 Regulatory Investigations
Government agencies may conduct regulatory investigations when they believe that an individual or corporation has violated administrative law.
Regulators typically conduct these investigations with a standard of proof commensurate соразмерный with the venue where they expect to try their case. Regulatory investigations vary widely in scope and procedure and are often conducted by government agents. Регулирующие органы обычно проводят такие расследования, используя стандарты доказывания, соответствующие месту рассмотрения дела. Расследования регулирующих органов сильно различаются по объему и процедурам и часто проводятся государственными агентами. Regulatory investigations vary widely in scope and procedure and are often conducted by government agents.
1.5 Industry Standards
PCI DSS. They do not involve government agencies.
Some regulatory investigations may not involve government agencies. These are based on industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS). These industry standards are not laws but are contractual obligations entered into by the participating organizations. In some cases, including PCI DSS, the organization may be required to submit to audits, assessments, and investigations conducted by an independent third party. Failure to participate in these investigations or negative investigation results may lead to fines or other sanctions. Therefore, investigations into violations of industry standards should be treated in a similar manner as regulatory investigations.
1.6 Electronic Discovery
In legal proceedings, each side has a duty to preserve evidence related to the case and, through the discovery process, share information with their adversary in the proceedings. В ходе судебного разбирательства каждая сторона обязана сохранять доказательства, относящиеся к делу, и в процессе их обнаружения делиться информацией со своим противником в ходе разбирательства.
This discovery process applies to both paper records and electronic records, and the electronic discovery (or eDiscovery) process facilitates the processing of electronic information for disclosure. Этот процесс обнаружения применяется как к бумажным записям, так и к электронным записям, а процесс электронного обнаружения (или электронного открытия) облегчает обработку электронной информации для раскрытия.
The Electronic Discovery Reference Model (EDRM) describes a standard process for conducting eDiscovery with nine aspects:
- Information Governance. Ensures that information is well organized for future eDiscovery efforts.
- Identification. Locates the information that may be responsive to a discovery request when the organization believes that litigation is likely.
- Preservation. Ensures that potentially discoverable information is protected against alteration or deletion.
- Collection. Gathers the relevant information centrally for use in the eDiscovery process.
- Processing. Screens the collected information to perform a “rough cut” «черновой обработки» of irrelevant information, reducing the amount of information requiring detailed screening.
- Review. Examines the remaining information to determine what information is relevant to the request and removing any information protected by attorney-client privilege адвокатско-клиентская тайна.
- Analysis. Performs deeper inspection of the content and context of remaining information.
- Production. Places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel адвокат противной стороны.
- Presentation. Displays the information to witnesses, the court, and other parties.
- Evidence
To successfully prosecute a crime, the prosecuting attorneys прокуроры must provide sufficient evidence to prove an individual’s guilt beyond a reasonable doubt.
The requirements that evidence must meet before it is allowed in court, the various types of evidence that may be introduced, and the requirements for handling and documenting evidence.
Artifacts - smth you have for court: physical devices, such as computers, mobile devices, and network devices, the logs and data generated by those devices, and many other forms of evidence.
2.1 Admissible Evidence Допустимые доказательства
To be considered admissible evidence, it must meet all three of these requirements, as determined by a judge судьей , prior to being discussed in open court открытом судебном заседании:
- The evidence must be relevant to determining a fact.
- The fact that the evidence seeks to determine must be material (that is, related) to the case. Тот факт, что доказательства призваны установить, должен быть существенным (то есть иметь отношение) к делу.
- The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
2.2 Types of Evidence
- Real Evidence Реальные доказательства
A keyboard with fingerprints on it or a hard drive from a malicious hacker’s computer system. Conclusive evidence ( like DNA is incontrovertible неоспоримое)
- Documentary Evidence Документальные доказательства. Any written items brought into court to prove a fact at hand.
A computer log as evidence, they must bring a witness свидетеля (for example, the system administrator) into court to testify который засвидетельствует that the log was collected as a routine business practice and is indeed действительно the actual log that the system collected.
Two additional evidence rules apply specifically to documentary evidence:
* The best evidence rule - when a document is used as evidence in a court proceeding, the original document must be introduced.
* The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements никакие устные соглашения may modify the written agreement.
- Testimonial Evidence Свидетельские доказательства
is, quite simply, evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.
Witnesses can offer direct evidence: oral testimony that proves or disproves a claim based on their own direct observation. In that case, the witness may offer an expert opinion based on the other facts presented and their personal knowledge of the field.
- Demonstrative Evidence Демонстративные доказательства is evidence used to support testimonial evidence. It consists of items that may or may not be admitted into evidence themselves but are used to help a witness explain a concept or clarify an issue. For example, demonstrative evidence might include a diagram explaining the contents of a network packet or showing the process used to conduct a distributed denial of service attack.
2.3 Artifacts, Evidence Collection, and Forensic Procedures Судебно-медицинские процедуры
Collecting digital evidence is a tricky process and should be attempted only by professional forensic technicians эксперты.
The International Organization on Computer Evidence (IOCE) outlines six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:
- When dealing with digital evidence, all of the general forensic and procedural principles must be applied. При работе с цифровыми доказательствами необходимо применять все общие судебно-медицинские и процессуальные принципы.
- Upon seizing При изъятии digital evidence, actions taken should not change that evidence.
- When it is necessary for a person to access original digital evidence, that person should be trained for this purpose.
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
- An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
- Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
2.4 Type of Analysis
Therefore, when analyzing digital evidence, it’s best to work with a copy of the actual evidence whenever possible.
2.4.1 Media Analysis Media analysis, a branch of computer forensic analysis, involves the identification and extraction of information from storage media. This may include magnetic media (e.g., hard disks, tapes) or optical media (e.g., CDs, DVDs, Blu-ray discs).
1) Gathering information from storage devices (the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.)
2) Then analysts should never access hard drives or other media from a live system. Instead, he should power off the system. Remove the storage device, and then attach the storage device to a dedicated forensic workstation, using a write blocker.
3) After connecting the device to a live workstation, the analyst should immediately calculate a cryptographic hash of the device contents and then use forensic tools to create a forensic image of the device.
4) The analyst should then compute the cryptographic hash of that image to ensure that it is identical to the original media contents.
5) After creating and verifying a forensic image, the original image file should be preserved as evidence. Analysts should create copies of that image (verifying the integrity of the hash) and then use those images for any analysis.
2.4.2 In-Memory Analysis
Investigators often wish to collect information from the memory of live systems. This is a tricky undertaking, since it can be difficult to work with memory without actually altering its contents. When gathering the contents of memory, analysts should use trusted tools to generate a memory dump file and place it on a forensically prepared device, such as a USB drive.
2.4.3 Network Analysis
Forensic investigators are also often interested in the activity that took place over the network during a security incident. This is often difficult to reconstruct due to the volatility of network data.
Network forensic analysis, therefore, often depends on either prior knowledge that an incident is under way or the use of preexisting security controls that log network activity. These include:
- Intrusion detection and prevention system logs
- Network flow data captured by a flow monitoring system
- Packet captures deliberately collected during an incident
- Logs from firewalls and other network security devices
After collecting network packets, they should be treated in the same manner as any other digital evidence. The tools creating the packet capture should write them to forensically prepared media. Analysts should compute cryptographic hashes of the original evidence files and work only with copies of those original files.
2.4.4 Software Analysis Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application.
In other cases, forensic analysts may be asked to review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.
2.4.5 Hardware/Embedded Device Analysis
Finally, forensic analysts often must review the contents of hardware and embedded devices. This may include a review of:
- Personal computers
- Smartphones
- Tablet computers
- Embedded computers in cars, security systems, and other devices
- Investigation Process
3.1 Gathering Evidence
It is common to confiscate equipment, software, or data to perform a proper investigation.
1) First, the person who owns the evidence could voluntarily surrender добровольно сдаться it or grant consent to a search. This method is generally appropriate only when the attacker is not the owner. Few guilty parties willingly surrender evidence they know will incriminate them.
2) Second, you could get a court to issue a subpoena, or court order, that compels an individual or organization to surrender evidence, and then have the subpoena served by law enforcement. Во-вторых, вы можете заставить суд выдать повестку в суд или постановление суда, обязывающее человека или организацию сдать доказательства, а затем вручить повестку правоохранительным органам.
3) Third, a law enforcement officer performing a legally permissible duty may seize evidence that is visible to the officer in plain view and where the officer has probable cause to believe that it is associated with criminal activity. This is known as the plain view doctrine. В-третьих, сотрудник правоохранительных органов, выполняющий законную обязанность, может изымать доказательства, которые видны ему на виду и если у сотрудника есть веские основания полагать, что они связаны с преступной деятельностью. Это известно как доктрина простого взгляда.
4) The fourth option is a search warrant. ордер на обыск.This option should be used only when you must have access to evidence without tipping off уведомления the evidence’s owner or other personnel. You must have a strong suspicion with credible reasoning to convince a judge to pursue this course of action.
5)Finally, a law enforcement officer may collect evidence when exigent circumstances неотложных обстоятельств exist. This means that a reasonable person would believe that the evidence would be destroyed if not immediately collected or that another emergency exists, such as the risk of physical harm.
When conducting searches in the workplace, an important consideration is whether the employee has a reasonable expectation of privacy. Outside of government workplaces, most jurisdictions have laws or precedents that state that employees do not have an expectation of privacy under most workplace situations.
3.2 Calling in Law Enforcement
One of the first decisions that must be made in an investigation is whether law enforcement authorities should be called in. Одним из первых решений, которые необходимо принять в ходе расследования, является вопрос о необходимости привлечения правоохранительных органов.
On the other hand, two major factors may cause a company to shy away from calling in the authorities.
1) The investigation will more than likely become public and may embarrass the company.
2) Law enforcement authorities are bound to conduct an investigation that complies with the Fourth Amendment and other legal requirements that may not apply if the organization conducted its own private investigation.
3.3 Conducting the Investigation
If you elect not to call in law enforcement, you should still attempt to abide by the principles of a sound investigation to ensure the accuracy and fairness of your inquiry. It is important to remember a few key principles:
- Never conduct your investigation on an actual system that was compromised. Take the system offline, make a backup, and use the backup to investigate the incident.
- Never attempt to “hack back” and avenge a crime. You may inadvertently attack an innocent third party and find yourself liable for computer crime charges.
- If in doubt, call in expert assistance. If you don’t want to call in law enforcement, contact a private investigations firm with specific experience in the field of computer security investigations.
3.5 Data Integrity and Retention
No matter how persuasive evidence may be, it can be thrown out of court if you somehow alter it during the evidence collection process. Make sure you can prove that you maintained the integrity of all evidence.
Carefully consider the fate of log files or other possible evidence locations. A simple archiving policy can help ensure that key evidence is available upon demand no matter how long ago the incident occurred.
3.4 Interviewing Individuals
During the course of an investigation, you may find it necessary to speak with individuals who might have information relevant to your investigation. If you seek only to gather information to assist with your investigation, this is called an interview. If you suspect the person of involvement in a crime and intend to use the information gathered in court, this is called an interrogation.допросом.
3.6 Reporting and Documenting Investigations
Every investigation you conduct should result in a final report that documents the goals of the investigation, the procedures followed, the evidence collected, and the final results of the investigation.
Preparing formal documentation is important because it lays the foundation for escalation and potential legal action. You may not know when an investigation begins (or even after it concludes) that it will be the subject of legal action, but you should prepare for that eventuality.
It’s a good idea to establish a relationship with your corporate legal personnel and the appropriate law enforcement agencies.
4.1 Military and Intelligence Attacks Военные и разведывательные атаки
Military and intelligence attacks are launched primarily to obtain secret and restricted information from law enforcement or military and technological research sources.
An attacker may be looking for the following kinds of information:
- Military descriptive information of any type, including deployment information, readiness information, and order of battle plans
- Secret intelligence gathered for military or law enforcement purposes
- Descriptions and storage locations of evidence obtained in a criminal investigation
- Any secret information that could be used in a later attack
