CCT 208: Navigating Digital Evidence, Forensics, and Investigation Types for CISSP Success (Domain 1.6)
Jan 06, 2025Unlock the secrets to mastering the CISSP exam with insights that could transform your cybersecurity career. Have you ever considered how failing to change a default router password could be your greatest vulnerability? Join me, Sean Gerber, as I guide you through the essential topics that every aspiring security professional needs to understand as we step into 2025. From administrative to regulatory investigations, this episode covers the diverse landscape of investigation types and underscores the importance of staying vigilant against cyber threats like man-in-the-middle attacks and DDoS attacks.
In this episode, we unravel the complexities of digital evidence and the crucial role of e-discovery in legal proceedings. Learn about the Electronic Discovery Reference Model (EDRM) and how it serves as a cornerstone for managing electronic evidence. We dive into the nuances of maintaining evidence integrity, the legalities of digital forensics, and the critical importance of a robust data retention strategy. As we dissect computer crimes and their impacts, you'll gain a deeper appreciation for the challenges and intricacies involved in handling cybersecurity incidents.
Concluding with a rich discussion on ethical and legal investigation procedures, we highlight key regulatory frameworks such as GDPR and CCPA. Understand the importance of obtaining consent for monitoring and maintaining a chain of custody for evidence. With practical tips and resources, including those from ReduceCyberRisk.com, this episode equips you with the knowledge to not only pass the CISSP exam but to thrive in an ever-evolving cybersecurity landscape. Whether you're a seasoned professional or new to the field, you'll find valuable insights to bolster your defense against the relentless advance of cyber threats.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go cybersecurity knowledge.
Speaker 2:
All right, let's get started. Hey, I'm Sean Gerber, with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. We are now into the new year and it is exciting right, it's 2025. And so hope you all are getting ready. If you haven't made the commitment for this new year's resolution to be get your CISSP, now's the time to do it. Yeah, you can do it, I know you can.
Speaker 2:
There's a lot of different options out there for you to get the training you need to pass the CISSP, and I highly recommend that you take a look at some of those. Just to one to help you get through the program, but two also to help you get a better understanding around cybersecurity. So CISSP cyber training is designed specifically to help you pass the CISSP, but to also provide you some of the level of understanding around cybersecurity that you may or may not actually get out there in other programs and products. So today we are going to be talking about Domain 1.6, and this is Understanding Requirements for Investigation Types, and this deals with administrative, criminal, civil, regulatory and industrial standards that are tied to it. But before we do, we're going to get started in just one news article that I saw over the weekend that I thought you might be interested in, so this one is about a reality check for default passwords. I know a lot of the folks that listen to this podcast are folks that have a background in IT in some level or shape or manner, and this article came out from Security Intelligence around as far as passwords being the default. Now, we've talked about this before on CISSP, cyber Training, but again, I'm going to keep reiterating this fact, because it is something that I used to use when I was on the red teams, and one thing that we promoted to our teams to use as well is to go when you went after default routers, what were their admin passwords and there was a lot of different things out there on the online that you can look up to define the default password set aside for the specific router that you're looking for.
Speaker 2:
Now I will tell you that newer routers have been having some level of. They usually have a password that is associated to the router itself and they're usually tied underneath the device as well. So something to consider there is that if you're especially dealing with older routers that are within your systems, they probably still have the default password that was associated with them. Now, the survey said around 86% have never changed their router admin password, so that's something to consider. Most people just like to do the plug and play. They slap it in place, they put it, it's up and running. They run away because they have other things to go do, and so that's an interesting part. And then the other statistic they had was that 52% have never adjusted any of the factory settings. So whatever it comes out of the box with is what you use. Again, most of the routers that are coming out now have a lot better protections built into them, but if you are an IT person who is focused on a network set of maybe being using old legacy type equipment, you may want to go back and look at those. And here's a recommendation Don't try to do it all at one day, because we also know that when you're dealing with change management for these different systems, it's imperative that you have a plan in place, because if you don't, then you'll cause all kinds of chaos and pandemonium in your organization, and then you'll be looking for new employment, which we do not want.
Speaker 2:
We don't want you to go out and try to find new employment. That would be unfortunate. We want you to help them find the job that you have, unless you want new employment, so that's a possibility, but they talk about here. If these routers are compromised. Obviously these are the main bullets you've understood when you're dealing with security is redirecting users to malicious webp pages. That could happen if you have access to the router.
Speaker 2:
Man-in-the-middle attacks, ddos attacks or actually monitoring IoT type devices, which I would say are becoming more and more of a factor because they are managing a lot more of the critical infrastructure within organizations. So I would go and check it out. What I would also do is, as you look at this overall plan, go and Google what your router is online and determine if your router's admin credentials are being exposed. So again, they talked about in here. As far as utilizing an EDR or an endpoint detection response solution, integrating generative AI, I personally believe that if you can integrate generative AI into your systems, it will be a much better solution long term, and I know there's a lot of people working through that, trying to figure that problem out. Operational technology and IoT technology environments you want to make sure that you are watching those and paying attention to those. I would say those are some of the biggest issues that I've seen that will continue to grow and will probably be some of the biggest impacts to organizations is the OT IoT environments.
Speaker 2:
So again, check your passwords. A lot of them are admin and they have 123, 123456, all those kind of fun things. So check out the article. It's a really good article. It kind of talks about what you should consider and some of the statistics that you have. Also, one thing that also I like to use these articles and this is a little bit of a hack on how to use these capabilities and you go and you look and you're researching this. So one of the things I bring this up in the CISSP cyber training is not to just bore you with details. It's to utilize these articles in ways that will help you get what you want, and what I mean by that is is take the statistics that are in here and build those into a case that you're going to bring forward to your senior leadership around buying some new equipment. Bring in these different statistics around that 15 percent of it, or I should say we around the password aspects that they haven't been changed. 87% 48% of the respondents have not adjusted their router settings. You can say I've got a lot of old day, outdated equipment. We need to update this equipment. Here's this article with a lot of different statistics, and then this is what we do to help minimize the risk to your organization. So utilize some of these articles in ways to help you get what you want. And the goal is not to manipulate people, right, that's not the point. The point is to use these types of statistics to help your senior leaders make better educated decisions, and having this kind of data given to them will really make them feel much more secure in making these decisions. So it's up to you, as a security professional, to use all the tools in your tool chest to be able to help you get the ends that you're looking to achieve.
Speaker 2:
Okay, so let's roll into what we're going to talk about today. So, domain 1.6, understanding requirements for investigation types. This is administrative, criminal, civil, regulatory and industrial standards. So we're going to go through a lot of different things about this as it relates to the overall ISE squared CISSP documentation. That's in the book. Now some key questions to also talk about through this is you're going to I noticed this big topic at the beginning is domain.7.1. A lot of the things I'm going to talk about here are also covered. There's additional details that are covered in 7.1. So as you're studying through this, always go back and look at 7.1 to look for more context around this information.
Speaker 2:
So now the point of all this is that you are going to incorporate or you're going to incur a security incident at some point in time which is going to require some level of investigations, and in most cases it will be brief, right without the need for law enforcement. So the point is bringing law enforcement into an investigation. You may or may not want to. I will tell you law enforcement probably won't be able to help you a whole lot more if they're what you're trying to accomplish, unless you're a very large enterprise and you have very deep pockets. Law enforcement is only looking at this from a criminal activity standpoint. They're not looking forward to trying to help you with this case. So if you're dealing with the FBI or your local law enforcement, just keep in mind they're not there to help you. They're there to look for a criminal investigation and then they're going to move on. So most severe cases will require maybe a formal inquiry to be done. We've been highlighting on CISSP Cyber Training for numerous times that there's various levels of inquiry that may have to occur as well, as this may take a lot of time to complete. So keep this in mind Once you get the breach done and you get that whole process completed, you may need to have additional work done to try to help clean all this mess up and to build in your governance all of those pieces that go along with it. You're going to understand formal procedures that need to be followed and maintained once this occurs, and then failure of doing these could also violate civil rights and individuals being investigated as we look for individual investigations.
Speaker 2:
So now there's different types of investigations. You have an administrative investigation, criminal, civil and regulatory investigations. Now, each of these are different and they each have a different spin and you will have to know when to do an investigation, when not to do an investigation, and on what type of person and what type of situation. So an administrative investigation this is where an internal process right. This is the investigation that will examine operational issues or internal processes that are in place. So, for example, you may have an internal process on moving money so that you can transfer money from one account to the next or sending money to your vendors. There may be something that happens. That maybe is inappropriate. That would be an internal investigation to understand what is the process behind it, what is the operational issues behind it. Now, that may lead into another type of investigation as you move forward, but a minimum you would have an internal investigation set up Now. This could be part of your overall technical and troubleshooting exercise, trying to figure out what broke, what didn't break, how did this always occur? This could be part of this overall plan.
Speaker 2:
You most likely will need to have support of HR potentially, or potentially even disciplinary actions on an employee. Now I would recommend you bring in HR at the beginning of this whole investigative process. The reason is is because you don't know where it's going to take you. You say you may think it just starts with IT and you're digging into IT, but if there's people involved within that IT system, there is a possibility you could be calling and tapping HR on the shoulder saying, hey, we have a problem here. And it's better to give them a heads up prior to being hey, we have a problem than it is to just pop it upon them, because then they start asking a lot of deep questions that you have to then slow down to try to answer, and if you have an ongoing investigation, you may not want to slow down specifically for that reason.
Speaker 2:
Now there's operational aspects that may require significant documentation. This is resolving the issue should be your primary concern and then after that, you want to understand the root cause analysis aspect of it and then document that and ensure that you have something built for the situation. Then, from there, you also want to understand what could have occurred. One example I have is bandwidth usage spikes. Now, this is where an employee uses company devices, for example, of cryptocurrency right. So if they use a AWS cloud environment, they may have and they have the ability to spool up multiple instances within that AWS environment. Then, all of a sudden, you see a massive bandwidth spikes and then, potentially, you're seeing some cost to your organization from this bandwidth spike and from the ability for this individual to add more computing devices.
Speaker 2:
You may have a situation where that's an internal investigation, one, it's technical, but two, there is an employee involved. Now some key concepts. Again, these are not admin. Investigations that are not operational may require more evidence, and what that basically means is that if you're going to be focusing on an admin, on an individual, specifically beyond what the root cause analysis is for in the example before of the cryptocurrency piece, you're going to want to have some more evidence that, hey, bill has been doing this on his own, outside of work or outside of purview of his supervisors. Keep in mind, the moment you start going down this path as well, you're going to start running into supervisors may not have been doing a good job watching Bill, and so now you're going to get a lot of people getting very concerned, and rightfully so, so it gets very sensitive, very touchy. You want to make sure HR is involved and included in all discussions. Security will work closely with your sponsor.
Speaker 2:
Obviously, compliance and legal during these investigations, and usually the administrative investigations, are some of the more lenient standards, right? The reason I say that is I've had many times where I've dealt with employees that have done things that have been maybe not the most appropriate, and so what ends up happening is you talk to them and the inappropriate activity then tends to stop or at least migrate to some place where I wasn't watching. The point of this is is that it's usually the most lenient in regards to because it's all internal, it's administrative. You may or may not deal with the individual and you may or may not want to actually target the individual. Not target, it's not the right word. Focus your attention on the individual. But one of the things you'll want to deal with, though, is if you are dealing with employees, depending upon their location, it could become a bigger issue. Ie Europe you have to have different types of evidence. You have to have other people involved. Investigations that I've had within Europe I've had to bring in the local HR person within Europe and then work very specifically and closely with them. I've also had a European IT person involved in that discussion as well, just to make sure that all the evidence that I'm sharing is tied to that specific European IT location. So, again, it's becoming a bigger issue, especially in Europe, so it's something to consider there.
Speaker 2:
Now, criminal investigations this gets to be a little bit more dicey, a little bit more spicy. Dicey and spicy that's a fun combination, but the key concepts around this is these are typically conducted by law enforcement. Now, they may pull some of your people in to help, depending upon what kind of capabilities law enforcement has, but they usually have the right people involved. Fbi your local law enforcement may have enough IT individuals to help you with the investigation. Now, this may result in charging people with a crime or prosecution. And then one thing is we're getting into more new hacking laws. This can carry a significant fines of basically jail or other activities, depending upon what they have done.
Speaker 2:
Now this must meet the beyond reasonable doubt standard of evidence. So consider that when you're talking to CISSP, it must meet the reasonable doubt standard. That's going to be a differentiator between the administrative and other types of investigations. Defendant that committed the crime must be presented the facts and then again they must meet the beyond reasonable doubt criteria. There is a very specific way in which you're going to collect the evidence and the preservation of this data, and so the goal is that if there's any of the data that is potentially tainted, whereas they was not collected in the most proper way they did not file chain of custody If you can prove that, then that evidence can be thrown out, and if that evidence is no longer valid, it could impact your case. So you need to have very strict collection activities done Now. You may or may not do this with your senior leaders or with the law enforcement folks. Ideally, you'd want to have law enforcement involved, but if not, you need to understand, as a security professional. What are some of the steps that you're going to need to do to make sure that you preserve this information for potential criminal prosecution? So, again, going forward, if anything happens like this, first you got to mitigate the problem. Once you mitigate the problem, consider it an investigation and then, if law enforcement doesn't come in, you need to start making sure that you understand that how you're going to maintain and create and save this evidence in the event that it could be used for criminal prosecution.
Speaker 2:
Civil investigations Now there's some key concepts around the civil investigations. They one do not involve law enforcement. This is something between an individual and another individual, so they are a civil investigation. This may involve internal employees and potentially outside consultants. It can involve any of those folks. Now, when you really are dealing with this, you may use employees and third parties to help you build the case that you're creating for your legal team, and this evidence must be presented in a civil case between the two parties, usually in front of a judge, and that's where this would end up going.
Speaker 2:
So, in a civil case like today, if you have something that's not cyber related, you have a situation where you're driving down the road and you run over your neighbor's mailbox. Well, actually the mailbox is probably not a good idea because I think that's a felony. But let's go. You are driving on your neighbor's yard and you believe a bunch of divots in your neighbor's yard. Your neighbor then turns around and says I'm going to sue you in civil court. So they come after you and you have a conversation in civil court saying, yes, he drove over my yard. I want compensation in damages because of whatever he made, left divots. I've got moral or moral. I've got some psychological challenges now because you roll over my yard. Yada, yada, yada yada. You know what I'm talking about.
Speaker 2:
The point of it is that is a civil case between two parties. If you have this at working in the cyber world, you may have a situation where somebody I've seen in Europe, where it places you're allowed to have the ability to view porn. I don't know if that's the case now, but this is one of the cases I ran into and the next door cube mate said I don't like that, it's offending me, and so the person decided to go and do a civil case against another individual, caused a lot of issues and drama which didn't need to happen. It's just don't watch your porn at work. Go if you. If that is something you choose, don't do it at work.
Speaker 2:
Uh, the point of it was then is that is a civil case, use A preponderance of evidence standards. So this means that you must have a lot of evidence, you must have the preponderance of evidence, but it is not something that is beyond a reasonable doubt and that is in the civil investigations piece, and this evidence collection is not nearly as rigorous as a criminal investigation. So evidence collection for civil investigations, that's a lot of investigations. I'm saying that word a lot. It isn't as rigorous as a criminal situation. So I'm really just butchering the dickens out of that. But bottom line is civil is less than criminal and you don't need beyond a reasonable doubt Regulatory investigations. Now these are done by government agencies and they may complete this investigation.
Speaker 2:
I've dealt with these in numerous cases with the United States government and they will involve with the situation where maybe an individual or corporate violated some level of administrative law. They are very long, protracted and proactive or protracted kind of situations. They go on for quite a while and they can be very consuming with resources. You want to make sure that way that you are. This is why, as a security professional, you must understand the regulatory requirements of your organization. So in a previous life, I dealt with the US Coast Guard and this. We didn't get investigated by anybody in that regard, but the point was I had to meet certain criteria to meet what the Coast Guard is looking for from a cybersecurity standpoint, and to do that, you have just a certain level of checkboxes and you have to meet with auditors around it.
Speaker 2:
The ultimate goal, though, is that I was prepared for that situation. If you're not prepared for that, that's highly likely you will get investigated by the government entity, and it will take a long time and it will take a lot of resources from your people to financial aspects, especially related to legal, if you have to bring in outside counsel. So it's again. They can vary widely in scope and procedure, and they can be conducted by pretty much anybody EPA, osha, you name it. They can come and do it, and that's just part of living in the country you live in Now, as you're listening to this, maybe in Australia or the UK, they have their same level of regulatory requirements in each of those specific locations.
Speaker 2:
I will say that even Australia, from a cyber standpoint, has a little bit stricter regulations than the United States does, so you just need to be aware of those and when you're going to take the CISSP test. I mean, that's great, you pass the test, but you really need to understand this content beyond just passing the test, and I'm just going to go off on a little bit of a diatribe. I see some people passing the test on LinkedIn, which is awesome, super excited for them, but they go well. I studied for one hour and 22 minutes and I passed the test. I mean, some people know how to take tests well, but bottom line is that you need to understand the content, because just taking the test is not going to help you. You need to be involved with understanding what you're going to need.
Speaker 2:
All these different aspects for Now, this may not involve all government agencies. You may have situations where there's like a third party that's doing this investigation on behalf of a government agency agency, but you're going to need to meet they're looking for that the fact that you meet obligations based on contractual agreements or on industry standards that may be out there, such as PCI DSS. The ultimate goal, though, is that the regulatory aspects will cost you a lot of money and they will take a lot of time. So make sure that you're doing them correctly so that if and when they do show up, you can present to them all the information they need, and that way they go away and they're happy. I don't mean you understand what I'm saying. I'm saying that you want to make sure you meet all regulatory requirements that are out there. You want to meet or exceed those. I recommend exceeding, where possible, those regulatory requirements that are out there. But you want to make sure that you have a plan in place so that when they do show up which they will if you have a government, any sort of government interaction available that you are properly prepared to hand them over the information they need so that they can go on and investigate somebody else. That's just how it rolls.
Speaker 2:
Now, electronic discovery what exactly is that? So this is where each side has a duty to preserve the evidence related to the case. Now, we talked about this before a little bit earlier, that if you're dealing with some sort of case and you have chain of custody, you're going to want to maintain and keep that information. Now this discovery can be done both in paper and electronic forms. In the event of a legal hold, you're going to have people tap you on the shoulder and say you need to hold information both from a physical paper standpoint and an electronic standpoint, and this means you're going to have to set aside specific content that you had engaged with as it relates to the situation that is at hand. So if you have an investigation that's going on with an individual and they say you need to make your own legal hold, any correspondence you had with this individual to include paper and or electronic would need to be held in reserve and you would hold that in reserve until your legal folks tell you that you can let it go. Not do that ICE thing. Let it go. It's a song. No, you can actually delete it. That's the point.
Speaker 2:
So, electronic discovery reference model this is EDRM. This describes the standard process for e-discovery and I'm not going to go into each of these. You can see this on the video, but I'll go into just kind of overlay them just a little bit. So, information governance you need to make sure that you have a well-organized e-discovery process. You have identification this locates the information where the information is to be discovered. It says you have a special space set aside for it. Preservation this ensures potential discovery of information and is protected against alteration. Do you have the server set aside in its own specific room that nobody can tamper with it? Collection you have a plan to gather the relevant information.
Speaker 2:
There's a processing this is where you screen the data for the rough cut of irrelevant information. This is where you go through the first pass. Is there anything in here not worth keeping? Review this examines the remaining information for relevancy. Analysis performs a deeper inspection. Again, this is where you're digging deeper into that system to make sure that it's all there, that you have the information you need. Production this places the information into a format used for sharing, and then the last thing is presentation this displays the information to the witness and the court to potentially other parties. So, this entire process around the EDRM model this is the electronic discovery reference model and this is the standard used for e-discovery. So they may ask you questions around this. What is the processing part of e-discovery? And that would be. It screens data for a rough cut of irrelevant information. So you want to go through each of these steps and figure out if you can remember how in your mind that it would be something for you to easily deal with. The ultimate goal, though, is if you have to guess, just think through each of these on what would be the best If you were in their shoes. If you were in an investigator's shoes, what would review mean? Well, that would mean I'd want to probably look at it. Presentation means I'd want to go and present it to the people that are involved. Production means it's ready to go. I'm ready to present it to people. So just kind of think about how you would deploy this when you're studying for the CISSP Evidence.
Speaker 2:
Now, there's some key evidence around this. Prosecuting attorneys must provide sufficient evidence to produce or to prove guilt. Now, these again, this is an important part that they have to have and they have to provide that to show that, yes, you've been doing things inappropriately and why were you doing those inappropriately? I had an instance where an individual decided to put logic bombs within an organization. We had to prove that this person actually presented or actually placed these logic bombs within the company and then, because of doing that, then you had to present that to both legal counsel and to the individuals that are the judge and everyone else that's involved in this. These items of evidence must potentially be used in court and are called what they call artifacts.
Speaker 2:
Now admissible evidence. These are three basic requirements to consider something admissible. So you didn't that you're watching a legal show on TV. You have to have these three requirements. One is it's relevant to determining a fact that the individual did something. Fact must be the material to the case. Okay, so whatever they did or whatever occurred must be material to the case. This individual transferring his resume to his USB stick may or may not be relevant to the case, unless the USB stick was used in conjunction with stealing a bunch of data. Then it might be. Means you can't just go out and say, hey, bill, send me this email that this Bob just did. You can't do that. That has to be done through legal means to prove the fact that this wasn't recreated. You're not on a fishing expedition. You must be able to provide this information by competent and legally obtained means.
Speaker 2:
So there's types of evidence. There is real evidence and demonstrative evidence. Real evidence is also known as objective evidence or object evidence. This is where items can be brought specifically into a courtroom. Weapons, clothing, thumb drives, computers all of those things can be brought into a courtroom. That would be your object evidence or real evidence. Demonstrative evidence is basically used to support testimonial evidence. This may or may not be admitted into court, but it could be a diagram explaining your overall process by which you send money externally to entities, and it could just be. You see these like in a chart that could pop up. They may or may not allow you to use that, depending upon if it's relevant to the case and or if the judge wants to hear about it. But so those are the two types of evidence. What physical? And then it's something that you're demonstrating to the court.
Speaker 2:
Now, when you're dealing with artifacts, evidence collection and forensics procedures, there is the International Organization on Computer Evidence and these the IOCE. Now there are six principles in which by which they operate. Digital evidence includes all general forensics and procedure principles. This is what they're talking about when you're dealing with digital evidence. That it's got the forensics piece of this, and you also have the procedures by which you gather the information when seizing the evidence. Action should not change this overall plan. So, basically, if you have a way that you're getting it, you know getting the evidence itself, it should not change.
Speaker 2:
Where appropriate, a person should be trained on digital evidence, so you should, if possible, have someone within your organization to do that. Now, if you're in a small company, you're going. Ha ha, I don't have anybody that can do digital evidence. You may have to contract with a third party, and that's where that would come from. Seizure, access, storage and transfer of digital evidence must be documented on how you're doing it, and then the individual is responsible for the digital evidence when it's in their possession. That means you must have control of it when you have a hold of it, and this is what you're responsible for during that entire process. Any agency must follow these principles as well. So all they're saying is that you must follow these six principles to ensure that you maintain the control of this evidence and it isn't fabricated and put somebody in prison that doesn't need to go to prison.
Speaker 2:
Media analysis is the first one that we'll talk about, and this is where you have extraction of information from the storage media itself. The analyst should never access hard drives from live systems. You don't plug it into the network and go oh, let me look at it. No, don't do that. There was a James Bond skyfall and there was this real smart young Q guy. And what does he do? He goes I'm going to look at this computer. Well, he plugged it right into his network. Well, I'm going to look at this computer. Well, he plugged it right into his network. Well, that was brilliant. You know you got to love movies. You don't do that. That's bad. A lot of things can go wrong. One, you can taint the evidence. And two, if there's something bad on it, the moment that it gets able to connect to a network, maybe a logic bomb goes off and erases everything in it. Don't know. So again you from live systems, you want to power off and attach forensics workstations with what they call a write blocker so it doesn't write specifically to the overall system, because again, the moment you write to it now, you could potentially have tainted your evidence In memory analysis.
Speaker 2:
This is where you're trying to get data from the chips that are inside the computer, and this can be very challenging and very volatile. If you can get any of that information, you have a very small window to which you can gather it, and it may not be something that will actually stand the test of time. Usually, memory dump is usually used on a USB drive. I can try to dump it to a USB. Now you're going to want to make sure that that USB has followed a proper process so that ensures that it's something they can't come back and argue. Well, this USB was used to copy down recipes for your family. Why did you use it to capture evidence? And then that would potentially be thrown out.
Speaker 2:
Network analysis again, you want to understand the analysis of information traversing the network during an incident, and this can be very difficult as the data is typically not stored for long periods of time on the network. So again, what I'm talking about there is your log files. Those are usually kept pretty limited. Why? Because in many cases those log files take up space and that costs money and therefore you don't want to keep them any longer than you actually have to. It also can open you up to legal complications by having log files for an extended period of time.
Speaker 2:
Evidence there's various types of analysis. You have software analysis and you have hardware and embedded device analysis. Now, software analysis this is where the activity that may be occurring within the application itself. So again, you're looking for software codes such as logic bombs, backdoors, etc. This is where you're looking specifically at the application and the software involved with it. You just don't know. Now, this would take a lot more level of rigor and of investigation to be able to get into this information.
Speaker 2:
Hardware and embedded device analysis. This is where you study of the various devices such as personal computers, phones, devices you name it pretty much this is what you're studying. These embedded devices are becoming more connected and thus need increased vigilance, and what I mean by that is the fact that you're going to see these everywhere. So you're going to need to really truly understand what are the systems that this individual is connected to, which ones are in this person's possession and which ones does this person have access and connectivity to. You're going to have to investigate all of those. Now the investigation process is going to occur. To investigate all of those. Now the investigation process is going to occur through the gathering of evidence. Now this may be where you confiscate equipment, software or data.
Speaker 2:
Confiscation must be carried out in a very defined process and again comes back to you. Just can't go out willy-nilly and take people's computers. You need to have a process by which you're going to do that. There's the voluntary surrender. This is where a person who owes the data or system provides it freely If you are a person under investigation, do not. I repeat again, I'm not a legal person, but I would highly recommend just listening to this.
Speaker 2:
Do not give up your computer voluntarily because you just don't. You just don't do that. Have somebody subpoena you for it, so that way you can get it. Don't go and just surrender it. People do that but unfortunately what ends up happening is they forget about the fuzzy pictures of the kittens that are on their computers and then all of a sudden it opens it up to all kinds of investigations. Want fuzzy kittens on your computer, just don't want it. So do not voluntarily surrender anything, don't Just.
Speaker 2:
You need to have a subpoena. Again, I'm not a lawyer, don't play one on TV and don't care to even be one. But the point of it is is I would highly recommend that before you do that you contact legal counsel to make sure that they are agreeing that you voluntarily surrender your computer. That's probably a better statement. Get with legal counsel. Okay, subpoena Court order is a court order compelling an individual or organization to surrender device. If you get a subpoena, then they will get a court order saying you must submit and submit this device and it's just better for tracking purposes, for everything. But again, contact legal to find out what's best for you.
Speaker 2:
Interviewing individuals you can interview them again to seeking information to assist in the investigation. This is something where you're just kind of going out there soliciting information. What can I find? Interrogation this is usually involvement with a crime and will be submitted within court. You don't want to do the waterboarding which I enjoyed at training when I was in the Air Force. Yeah, that was not fun by any stretch of the imagination. That is not the kind of interrogation you would be doing to people. Interviewing and interrogation are very specialized and should be formed by a trained investigator. Yes, specifically, do not try to be the investigator that is interrogating or interviewing people unless you have been properly trained. Especially, I've done interviews and there's a whole training process by which you would interview a person. Now the investigation process.
Speaker 2:
This deals with data integrity and retention. Data can be thrown out at any time in court, so data integrity is imperative. You've got to have something in place to make sure that you are keeping tabs on your data. Defined. Data archiving strategy must be defined and completed. It's basically you got to have it set up. You need to have this done ahead of time. So if you have a large organization, I would highly recommend you start getting this kind of worked out. Just think of it. Hey, it's a goal of 2025. I want to have a strategy around investigations and archiving of data period. Do that, that would be a great goal for 2025. Ensure that the data cannot be modified or changed when stored for future use. Again, you may have a separate room that is locked up and only a certain subset of people have access to it, and that's kind of. We talked about that in domain seven Reporting and documenting investigations.
Speaker 2:
Every investigation should result in some type of report. It should be investigated. You should have all documentation written out somewhere. We don't want to have this just kind of this willy-nilly thing done. The formality of the report will vary on the organization and the formal documentation lays the foundation for escalation and potential legal actions. You need to have that defined and done. Corporate legal should be involved in the final aspects of the report and a single point of contact to be law enforcement liaison is imperative. If you're going to be dealing with a criminal investigation, you're going to want to have somebody from law enforcement involved in this overall plan. And again, legal counsel contact, legal counsel, hr Again, all the main players got to be involved, especially when you're dealing with people. So, evidence categories of computer crime.
Speaker 2:
Computer crimes generally fall into one of the following buckets Military intelligence attacks we see this routinely. People are stealing data, restricted information and so forth around military or even business intelligence for within a company. Business attacks this focus on illegally compromising confidentiality, integrity and availability of business data and this comes down to an individual that's focused specifically on a business. Now it may be where the business works for the military. Then you got a double whammy. You got lots of fun things there. Financial attacks these are unlawful attempts to obtain money or services and is most commonly considered computer crime, and I've seen this occur. You see it in the news quite frequently. I just had a lawyer here locally did it a few years back. He's finally now back to practicing law, I guess, but he did some things that came across a little bit shady and it bit him pretty hard. So again, those are financial attacks can happen. It's just something to consider.
Speaker 2:
Terrorist attack this is again. You know what this is designed to disrupt normal life and instill fear. These happen on a routine basis, right? Unfortunately, they happen much more frequently than they should. It just happened as a recording of this. It was the New Orleans individual who just ran people over down there in New Orleans. So terrorist attacks are bad and they can do this through computer crime even easier than they do with running people over, which is the sad part about it. I mean, you can kill a lot of people, but if you were an attacker, you can kill people, but you also can destroy people's lives financially being these terrorists, and it's just not good in any way around it.
Speaker 2:
Other things we're dealing with is a grudge attack. This is something that occurs within an individual who has a grudge against somebody to create damage to an organization or to a specific person, and reputation is a big factor an organization or to a specific person, and reputation is a big factor. Again, this is also occurring, I feel, with AI and now the ability to put faces on. You know, you can generate all kinds of pictures of people and put faces of individuals on these pictures so that they look real, and unfortunately there's a lot of young ladies that are being just totally tortured by this, where there's people that are out there putting pictures of them on the web that are not real and it's causing all kinds of pain and drama, and so it's. These are just terrible. I mean, they're all bad, but these grudge attacks, where you're hurting people without even really even knowing them, is just. It's a terrible thing. Not that you should hurt anybody, but you know what I mean. Thrill attacks these are created primarily for the fun of the event or the incident. These, again, they're script kiddies that can fall into this specific bucket. They're just trying to do it to get some fun out of it and for feeling that sense of power and control. And then your hacktivist attack these are commonly the normal attacker who's tied to attempts to basically incite some sort of political incident or movement. And all these things can be in different ways. Right, you can have a hacktivist attack and a grudge attack against a political person within your country, and it can do it in all different kinds of forms and manners. So, again, all of these are different types of computer crimes. Then I kind of highlight all of this Some key considerations to think about.
Speaker 2:
You have your legal and regulatory frameworks. These fall within your jurisdictional differences of GDPR, ccpa, cfaa and SOX. These will have to deal with local laws for evidence collection and privacy. So you're going to have to be aware of all of these. We've already touched on a lot of this, but this is more of an overview of some of the big things you need to think about. Privacy and consent. You need to understand employee monitoring requires consent and adherence to privacy laws. So again, you need to make sure that if you have any of these privacy things that you are reaching out, your employees will sign this and they are all aligned with what's going on. You also need to respect expectations of privacy per personal and corporate devices. This will. It doesn't really matter whether it is corporate or personal. Their privacy needs to be involved in all aspects of this.
Speaker 2:
When you're dealing with burden of proof, like we mentioned a little bit earlier, criminal is beyond reasonable doubt, civil is preponderance of evidence and administrative is a balance of probabilities. So that was kind of the one I didn't really talk about was administrative is the balance of probabilities? So that was kind of the one they didn't really talk about was administrative is the balance of probabilities. Bottom line is you need to have some. You can't just go on a fishing expedition trying to find information or find crimes on people Chain of custody.
Speaker 2:
This is where you properly document and track evidence handling to maintain integrity and admissibility. We kind of talked about that before as well. You got to have a plan on how you're going to maintain all of this documentation. The different types of evidence that you will run into is direct, circumstantial and digital evidence. These are the tools that would go into helping you collect this. A couple of those are NCASE and FTK. Those are some that I've used. Ncase in the past Works really well for collecting of digital evidence.
Speaker 2:
Documentation. This is kept through unbiased reports and adherence to record-keeping requirements for regulatory compliance. Again, that's the documentation aspects of it. And then involving external authorities. This is when you know when to escalate to law enforcement or regulators and follow the appropriate communication protocols. You may or may not deal with external authorities and you may or may not want to bring in law enforcement. You and your family may, or family, you and your business may, decide that you don't want to bring law enforcement into this conversation. Again, it comes down to you and your organization. You may want to just handle this internally and not have to bring in any sort of legal aspects of that. Conflicts of interest. You need to ensure that there's an unbiased investigation and you may want to use third-party investigators if necessary if that's something that you really truly want to deal with.
Speaker 2:
We talked about penalties a little bit Criminal, you've got fines and imprisonment. Civil, you've got penalties financial penalties that are associated with it and there's also the reputational aspects of that that is going to be out in the open. Regulatory, you've got fines, operational restrictions, such as GDPR. The fines can be substantial depending upon the company you're dealing with. And then incident response coordination. This aligns with investigations, with incident response plan and clearly defines the roles. Again, you want to understand, when you're dealing with an investigation, who does what. Investigations can get very squishy very quickly and you want to make sure that it's well-defined. Whose role is what in this overall investigation. And then ethics you need to maintain integrity and objectivity to protect any sort of whistleblowers you may have within your company. You need to have a good plan in place to deal with this.
Speaker 2:
Forensic readiness. This needs to be where you're enabling logging and auditing before your incidents occur. You want to make sure you use the appropriate tools for digital forensics, such as Wireshark or Splunk, and make sure that you have the ability to store this information and maintain your chain of custody Again, very important chain of custody. Don't mess that up. It will cause you all kinds of drama if you do.
Speaker 2:
Communication and disclosure. You want to limit the internal communications, a need-to-know basis. Specifically, you don't want to be telling everybody, hey, I'm investigating Bill, did you know Bill did this? Yeah, you don't want to talk about Bill or that you're investigating air quotes anybody, because guess what People are smart. They'll figure stuff out and before you know it they'll be asking you all kinds of questions and then you'll divulge something and then, if it goes to court, oh then things can start unraveling quickly. So don't talk to anyone Again. Fight club, fight club. No one talks about fight club. Have a public relations plan for sensitive incidents. You want to make sure that your HR folks are in. Public affairs might be involved. I did bring in my public affairs folks multiple times to deal with incidents just to make sure that everybody was aligned with what we're trying to say.
Speaker 1:
Okay, that is all.
Speaker 2:
I have for you today. You can head on over to CISSP Cyber Training and get access to all this content available to you. You can get it. It's all there and all the videos are there. All the audios are there, everything. I got questions up the galore. I'm going to have some. I have some partnerships that I'm working with Boson multiple things that are occurring and we are here to help you pass the CISSP. That's the ultimate goal. Got to have questions, got to have content.
Speaker 2:
If you don't know these kind of what you should study for CISSP Cyber Training has it for you. I guarantee you the information is there and available and the best part is you're getting it from somebody who's been there, done that, got the t-shirt, been doing it for quite a few years and I'm here to help you pass the CISSP. But beyond passing the CISSP, I'm helping you to become a cybersecurity professional so that you can go out and help us protect us all from the evil hacker horde. If you are looking for cybersecurity resources, go to reducecyberriskcom. I'll have a link. I'm going to have a link in the show notes on this as well, as you will have a page on CISSP Cyber Training if you're looking for some sort of consulting capability. Reduce Cyber Risk has that for you and available to you. So again, go check it out CISSP, cyber Training and ReduceCyberRiskcom. Hope you all have a wonderfully, beautifully blessed day and we will catch you all on the flip side, see you.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!
