infosec

avatar
Created by
cole ferr

Cards (2014)

  • Digital evidence

    Information stored or transmitted in binary form that may be relied on in court
  • Digital evidence

    • E-mails
    • Digital photographs
    • ATM transaction logs
    • Word processing documents
    • Spreadsheets
    • Instant message histories
    • Internet browser histories
    • Files saved from accounting programs
    • Databases
    • Contents of computer memory
    • Computer backups
    • Computer printouts
    • Global Positioning System tracks
    • Logs from a hotel's electronic door locks
    • Digital video or audio files
  • Where digital evidence is found
    • Hard drives
    • Floppy drives
    • Zip disks
    • Jaz disks
    • Flash memory cards
    • Magnetic tapes
    • Cellular telephones
    • Personal Data Assistants (PDA)
    • Any memory developed for the storage of electronic data or information
  • Types of potential digital evidence
    • Pictures
    • Videos
    • Files stored locally or on media card (Digital/Video Camera)
    • Text messages
    • Call logs
    • Applications used
    • Social media accounts (Cell Phone)
    • Everything from all categories
    • Social media accounts
    • Internet search history
    • Documents
    • Email (non-web based) (Computer/Laptop)
    • Applications used
    • Social media accounts (Mobile Device)
    • Pictures
    • Videos
    • Documents (Game Consoles)
    • Hard drive, thumb drive, optical media (File Storage)
    • Interactive Guide (Internet of Things (IoT))
    • Location
    • Apps used (Wearables)
  • Rules of evidence

    • Admissible
    • Authentic
    • Complete
    • Reliable
    • Believable
  • Admissible
    The evidence must be preserved and gathered in such a way that it can be used in court or elsewhere
  • Authentic
    The evidence must be tied to the incident in a relevant way to prove something. The forensic examiner must be accountable for the origin of the evidence.
  • Complete
    When evidence is presented, it must be clear and complete and should reflect the whole story. It is not enough to collect evidence that just shows one perspective of the incident.
  • Reliable
    Evidence collected from the device must be reliable. This depends on the tools and methodology used. The techniques used and evidence collected must not cast doubt on the authenticity of the evidence.
  • Believable
    A forensic examiner must be able to explain, with clarity and conciseness, what processes they used and the way the integrity of the evidence was preserved. The evidence presented by the examiner must be clear, easy to understand, and believable by the jury.
  • Search
    A process conducted by authorized agents of the law going through part or all of an individual's property, looking for specific items that are related to a crime that they have reason to believe has been committed.
  • Seizure
    Officers take possession of items during the search.
  • Search and seizure is a procedure used in many civil law and common law legal systems by which police or other authorities and their agents, who, suspecting that a crime has been committed, commence a search of a person's property and confiscate any relevant evidence found in connection to the crime.
  • Section 2, Article III of the 1987 Constitution mandates that search and seizure must be carried out through or on the strength of a judicial warrant predicated upon the existence of a probable cause, absent which, such search and seizure becomes "unreasonable" within the meaning of the said constitutional provision.
  • Best practices for search and seizure of digital evidence
    • Secure the digital scene
    • Digital Photos
    • Logs
    • Identify and isolate digital devices
    • Photograph the digital scene
    • Document the digital scene
    • Collect and package digital evidence
    • Maintain chain of custody for digital evidence
  • Securing the digital scene
    Ensure physical security, limit network access, establish chain of custody protocols
  • Identifying and isolating digital devices

    Identify and document all relevant digital devices, protect from tampering or data integrity breach, create image or clone of original hard drive
  • Photographing the digital scene

    Capture photos of the computer/device, cords/cables, remote controls, keyboards, mice, other components, physical evidence around the computer/device, evidence labels
  • Documenting the digital scene

    Create digital photos and logs of the entire process
  • Collecting and packaging digital evidence

    Document the evidence-collection process, collect only what's necessary, package and label digital evidence properly and securely
  • Maintaining chain of custody for digital evidence

    Document the chronological transfer of possession of evidence from one person or entity to another
  • Handling digital evidence
    1. Document handling processes related to seizure and storage
    2. Maintain physical control over all evidence at all times
    3. Clearly document each stage in which possession changes
    4. Ensure headroom exists for additional data without compromising evidence integrity
    5. Maintain strict security protocols for access and storage locations
    6. Never alter original documents
  • Information
    Processed, organized and structured data that provides context for data and enables decision making
  • Data
    Collection of raw, unorganized facts and details like text, observations, figures, symbols, and descriptions of things
  • Data does not carry any specific purpose and has no significance by itself</b>
  • Data is measured in terms of bits and bytes– which are the basic units of information in the context of computer storage and processing
  • Information states

    Processing, storage, transmission
  • Transmission
    Sending information or data from one place to another
  • Storage
    Process through which digital data is saved within a data storage device by means of computing technology
  • Processing
    Manipulation or transformation of letters, numbers or graphic symbols that constitute data
  • Data at rest

    Data that is stored or archived in physical or electronic storage devices
  • Vulnerabilities of data at rest

    • Devices containing unexpected data being lost or stolen
    • Storing data in the cloud or on shared workstations without proper protection
  • Best practices to protect data at rest

    • Encrypt all drives and store selected files and folders in encrypted containers
    • Use access controls and authentication mechanisms to restrict unauthorized access
    • Store backups in secure locations to prevent data loss
  • Data in use

    Data that is actively being accessed or manipulated by users or applications
  • Vulnerabilities of data in use

    • Data is generally unencrypted and easily accessible
  • Best practices to protect data in use

    • Utilize robust user authentication measures
    • Implement protection techniques to protect sensitive data during processing
    • Regularly monitor and audit data access to identify potential security breaches
  • Data in transit

    Data that is in motion between different locations or networks
  • Vulnerabilities of data in transit

    • Increased risks of exposure to third parties that may compromise sensitive information
  • Best practices to protect data in transit

    • Use secure communication protocols like HTTPS or VPNs to encrypt data during transmission
    • Implement email encryption to protect sensitive information in transit
    • Consider using secure file transfer methods to maintain data confidentiality
  • Security services
    Services provided by a protocol layer to ensure adequate security of systems or data transfers