Key Concepts 7.1 Understand and comply with investigations

Question 1

A crime involving a computer that violates the law regulation. It could be an act against the computer itself or the computer could have been used in the actual commission of the crime against another target.

Answer 1

Computer crime

Question 2

• Military and intelligence attacks: These involve unauthorized access to government or
  military systems to steal classified information or disrupt critical infrastructure.
• Business attacks: These attacks target companies to steal trade secrets, intellectual
  property, or customer data for financial gain or competitive advantage.
• Financial attacks: These crimes focus on illegally accessing financial institutions or
  individual accounts to steal money or manipulate financial markets.
• Terrorist attacks: Cybercriminals use digital means to spread propaganda, recruit
  members, or launch attacks on critical systems to cause widespread fear and disruption.
• Grudge attacks: Disgruntled individuals, often insiders, target specific organizations or
  persons to exact revenge or cause damage due to personal grievances.
• Thrill attacks: Motivated by the challenge or excitement, these attacks are conducted by
  individuals seeking to prove their skills or gain notoriety in hacking communities.

Answer 2

Types of Computer Crimes

Question 3

The process of identifying, preserving, collecting, processing, reviewing, and producing electronically stored information (ESI) in litigation. It about gathering data and assessing its relevance to request for production

Answer 3

eDiscovery

Question 4

involves the use of a
forensic expert to protect data integrity and to copy/capture/recover the data stored
on a device.

Answer 4

Digital Forensics

Question 5

Proper evidence collection and handling are essential for ensuring the admissibility and
integrity of evidence in legal proceedings

Answer 5

Chain of Custody

Question 6

A detailed record of where the evidence was, who handled
it, and when, at every step from collection to final disposition.

Answer 6

Chronological documentation

Question 7

Ensuring that evidence is properly stored and protected from
tampering or contamination.

Answer 7

Preservation of evidence

Question 8

Recording every time the evidence changes hands, including the
reason for the transfer.

Answer 8

Transfer accountability

Question 9

Limiting and documenting who has access to the evidence.

Answer 9

Access control

Question 10

Proving that the evidence presented in court is the same evidence that was initially collected, without alteration.

Answer 10

Maintaining integrity

Question 11

When an individual willingly hands over evidence or property to
law enforcement without being compelled to do so. This method often occurs when a
person wants to cooperate with an investigation, and is generally the most desirable
circumstance.

Answer 11

Voluntary surrender

Question 12

The act of legally taking possession of items or property, typically by law enforcement officials, when those items are believed to be connected to criminal activity
or are illegal to possess.

Answer 12

Confiscation

Question 13

A legal document that orders a person or organization to provide specific documents, records, or physical evidence relevant to a legal proceeding or investigation.
Failure to comply can result in legal consequences

Answer 13

Subpoena

Question 14

A court-issued document that authorizes law enforcement to search a specific location for evidence related to a crime. Must be based on probable cause and typically describe the place to be searched and the items to be
seized.

Answer 14

Search warrant

Question 15

The collection of evidence that is in plain view of law enforcement
officers during a lawful presence in an area. This method doesn’t require a warrant
if the evidence is clearly visible, and its criminal nature is immediately apparent.

Answer 15

Seizure of visible evidence

Question 16

The gathering of evidence without a warrant when there’s an urgent need to prevent the destruction of evidence, protect public safety,
or pursue a fleeing suspect. This method is used in emergency situations where obtaining
a warrant would be impractical or potentially dangerous.

Answer 16

Collection under exigent circumstances

Question 17

consists of actual objects that can be brought into the courtroom.

Answer 17

Real evidence

Question 18

consists of written documents that provide insight into the facts.

Answer 18

Documentary evidence

Question 19

consists of verbal or written statements made by witnesses.

Answer 19

Testimonial evidence

Question 20

The most reliable and original form of evidence available, typically
referring to original documents or items rather than copies or descriptions. In legal
contexts, it’s the highest quality evidence that can be presented to prove a fact

Answer 20

Best evidence

Question 21

Evidence that is not original or primary, such as copies of documents or testimony about the contents of a document when the original is not available.
It’s generally considered less reliable than best evidence but may be admissible when
best evidence cannot be obtained.

Answer 21

Secondary evidence

Question 22

Evidence that directly proves a fact (based on the five senses) without
requiring any inference or presumption. This often includes eyewitness testimony or
video recordings of an event.

Answer 22

Direct evidence

Question 23

Evidence that is so strong and convincing that it cannot be contradicted or overcome by other evidence. It establishes a fact with certainty and leaves no
room for doubt.

Answer 23

Conclusive evidence

Question 24

Evidence that relies on inference to connect it to a conclusion
of fact. It doesn’t directly prove a fact but allows a fact to be inferred. While often considered
weaker than direct evidence, strong circumstantial evidence can be very compelling in legal proceedings.

Answer 24

Circumstantial evidence

Question 25

Evidence that supports or reinforces other evidence already presented. It doesn’t stand alone to prove a fact but strengthens the credibility of other evidence or testimony.

Answer 25

Corroborative evidence

Question 26

Testimony that is based on a witness’s personal belief or judgment rather than on direct knowledge of facts. Witnesses may be expert or non-expert. Expert witnesses often provide opinion evidence based on their specialized knowledge or experience and carries greater weight than non-expert.

Answer 26

Opinion evidence

Question 27

Testimony that is given by a witness who relates not what they know personally, but what others have said. It’s generally considered less reliable and is often inadmissible in court, though there are numerous exceptions to this rule.

Answer 27

Hearsay evidence

Question 28

Requirements for evidence to be admissible in a court of law, evidence must be: * Relevant to a fact at issue in the case (the legal proceeding)). * Material (related) to the case. * Competent, which means collected through legal means. Evidence obtained through an illegal act is generally inadmissible in court.

Answer 28

Admissibility of Evidence

Question 29

* Documenting all steps taken during the investigation process, including evidence collection and analysis * Report creation. Creating detailed incident reports that include timelines, affected systems, and actions taken * Secure storage. Securely storing and protecting investigation reports and documentation * Stakeholder updates. Regularly updating stakeholders on the progress and findings of the investigation.

Answer 29

Reporting and documentation

Question 30

* Interviews. Interviewing witnesses and stakeholders to gather information about the incident * Data collection. Analyzing system logs, network traffic, and other data sources to identify indicators of compromise * Forensic investigation. Conducting forensic analysis of affected systems to determine the scope and impact of the incident * Collaboration with external parties. Collaborating with other teams and external parties as needed, such as law enforcement or external investigators assigned by a cyber insurer.

Answer 30

Investigative techniques

Question 31

* Understanding the principles and best practices of digital forensics, including data acquisition, analysis, and reporting * Familiarity with common digital forensic tools and techniques, such as disk imaging, file carving, and memory analysis * Ensuring the admissibility and reliability of digital evidence through proper handling and documentation * Staying current with emerging trends and challenges in digital forensics, such as encryption and cloud computing

Answer 31

Digital forensics special skills and training

Question 32

The focus here is on maintaining the integrity of original evidence by working with copies and properly sealing originals. use write-blockers to prevent accidental modification, create bit-for-bit copies, and calculate hash values to verify integrity. Store original evidence in anti-static bags in a secure, climate-controlled environment.

Answer 32

Evidence Preservation

Question 33

A specialized technique for investigating various devices, combining skills from both media and software analysis. Document the physical state of the device, photograph all connections before disconnecting, and consider the potential for anti-forensic measures like booby traps or remote wiping capabilities.

Answer 33

Hardware/Embedded Device Analysis

Question 34

This involves collecting and examining information from live system memory using trusted tools and working with verified copies of memory dumps. Perform as quickly as possible after the incident to capture volatile data. Use validated tools and document the system’s state (running processes, network connections) at the time of acquisition.

Answer 34

In-Memory Analysis

Question 35

A method of extracting information from various storage media by creating forensic images and analyzing copies while preserving the original. Use forensically sound tools to create images, verify the images with hash values, and analyze them in a controlled environment. Be aware of potential encryption, hidden partitions, or steganography that may conceal evidence.

Answer 35

Media Analysis

Question 36

A technique for reconstructing network activity during incidents by utilizing pre-existing logs, captures, and monitoring data. When performing it correlate data from multiple sources (e.g., firewall logs, IDS alerts, netflow data) to build a comprehensive picture. Be mindful of time synchronization across devices and potential log tampering.

Answer 36

Network Analysis

Question 37

If malicious activity is suspected, forensic analysis of applications, including their activities, and potentially examination of source code for potential security issues or malicious elements may be necessary to identify the presence of backdoors or other security vulnerabilities. When source code is not available, it may require dynamic testing in a controlled environment or reverse engineering to identify

Answer 37

Software Analysis

Question 38

are pieces of digital evidence that can provide valuable insights into a security incident. They are remnants of a security breach that may reveal the type of attack and identity of the attacker. Are commonly found on computer systems, applications and web browsers on computer systems, various types of fixed and removable storage, and mobile devices (e.g., smart phones and tablets).

Answer 38

Artifacts