Investigations MindMap (1 of 6) | CISSP Domain 7

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cisp exam we're going to go through a review of the major topics related to investigations in domain 7 to understand how they interrelate and to guide your studies and help you pass the cisp exam this is the first of six videos for domain 7 I've included links to the other mymap videos in the description below these mindmap videos are one part of our complete cisp Master Class all right let's talk about how we apply the principles and methods of forensic science

to investigations this is all about what an organization needs to do if for example they've detected a breach or had a whistleblower report or something or VISA has called asking why our systems are leaking millions of credit card numbers one of the most important first steps is securing the scene establishing a perimeter to prevent unauthorized persons from entering the scene in order to avoid the loss or contamination of evidence securing the scene is heram out as once evidences has been contaminated it cannot be decontaminated securing a digital crime scene is particularly challenging as we want

to preserve as much evidence as possible but balance that against things like stopping an ongoing breach should a computer system be unplugged from the network or even shut down doing so too quickly could compromise the investigation but doing so too slowly could allow additional data to be leaked once we begin collecting evidence there are a few principles techniques and sources we should be aware of low card's principle often comes up on the exam put simply it states that when a crime is committed the perpetrator will leave something behind and take something with them lur card's

principle helps investigators think about where they may be able to find evidence investigators also need to think about Mom motive opportunity and means this is an investigative technique used to determine if a suspect has the motive for example financial gain the opportunity were they at the crime scene and means did they have the right tools and techniques necessary to commit the crime so Mom helps us think about who is the perpetrator there are a few sources of evidence for an investigator oral or written statements are when Witnesses tell an investigator what they witnessed or write

it down documents are any notes files and the like that an investigator can find digital forensics is the scientific examination analysis of data from storage media in such a way that the information can be used as evidence in a court of law one of the most challenging and important types of digital evidence is known as live evidence this is any data stored in volatile memory within a system places like RAM and the cpu's cache and register recovering live evidence requires specialized tools and any live evidence is lost when a system is powered down uh capturing

live evidence is much much easier on Virtual machines as you can take a snapshot of the system where most digital evidence is going to be found is in secondary storage primarily hard drives but also USB drives memory sticks CDs and DVDs tapes zip discs anyone have those anymore an important point to remember is that when an investigator obtains a hard drive they do not conduct any of their investigations on the original Drive rather they're going to make at least two bit forbit copies which they'll verify via hashing and any investigations are conducted only on one

of the copies this helps to ensure that any evidence collected will be admissible cloud-based systems virtual systems make investigations both easier and more difficult in infrastructure as a service for instance it is possible to make an exact copy of a virtual machine or VM instance including any of the live evidence on the system this is often referred to as snapshotting and it makes collecting evidence far easier more challenging is is requesting and conducting investigations of physical hard drives in the public Cloud the cloud provider is ex very unlikely to provide physical hard drives as other

client data will also likely be stored on those drives but investigators can request virtual discs or volumes ecovery or electronic Discovery is the process of identifying collecting and producing electronically stored information for legal proceedings the chain of custody you should associate the chain of custody with one word control the chain of custody is the process of documenting the complete journey of evidence during the life of the case demonstrating that you had control of the evidence from the moment it was collected to potentially years later when it is presented in a court of law and thus

the evidence has Integrity of the different types of evidence we just spoke of we can categorize them in a few different ways real evidence is tangible and physical objects like hard drives crucially data is not considered to be real evidence as we can't see data on a hard drive and even if we could see the bits we don't have the algorithms necessary in our heads to turn those bits into an image video or audio file data is not tangible it's not a physical object direct evidence is evidence that speaks for itself and requires no inference

examples of direct evidence include eyewitness accounts and confessions there are three other types of evidence that I'm intentionally skipping over here as they are not as important to know for the exam circumstantial evidence collaborative evidence and Cay evidence okay back to the types of evidence I would suggest you know secondary evidence is a reproduction of or substitute for an original document or item of proof very importantly here data is considered to be secondary evidence because like I said we can't see data directly we have to reproduce it through say a JPEG algorithm and turn the

bits into a picture we can see and the final one the best evidence rule is a legal principle that applies to any of the evidence we have discussed and it simply means that the courts view original unaltered evidence as Superior evidence or the best evidence so the best evidence rule basically means the courts prefer original evidence here's a summary of the different types of evidence that leads us to the five Rules of Evidence which are required for evidence to be considered useful in an investigation authentic means that you can tie the evidence back to the

scene you can prove the evidence relates to the incident in a relevant way accurate equates essentially to Integrity you can prove the evidence has complete means you collect all evidence even exculpatory evidence which might help clear a suspect the evidence must be convincing and reliable and explainable to a jury your evidence collection and Analysis procedures must not cast doubt on the evidence authenticity and veracity its degree of Truth and finally you want your evidence to be admissible this is the most basic rule the evidence must be able to be used in a court of law

or elsewhere now what are some of the techniques that we can use to analyze the evidence that we've collected media analysis often referred to as computer forensics is examining physical media for evidence such as hard drives media analysis includes trying to recover data from a hard drive that someone may have drilled a hole in or put in the microwave or abused with a hammer software analysis also often referred to as software forensics is examining software such as malware to determine what the software was designed to do for example encrypt files for ransomware or exfiltrate credit

card numbers another important part of software analysis is attribution carefully analyzing the code to identify who may have authored the software network analysis is examining Network traffic and log files to identify how an attacker initially gained access to the network how they traversed the network what they gained access to and what they managed to compromise there are a few different types of of Investigations that you need to know about criminal investigations deal with crimes and the legal punishment of criminal offenses criminal investigations are driven primarily by law enforcement with support from the organization civil investigations

deal with disputes between individuals organizations or between the two in which compensation is awarded to the victim these investigations can be driven by law enforcement or the organization regulatory investigations deal with violations of regul activities such as as breaches of personally identifiable information and will be driven by the regulator administrative investigations deal with an organization investigating its own internal incident based on findings it may become a criminal civil or regulatory investigation and the final part of any investigation is the extremely thorough documentation of evidence collected and preparing to present that evidence to the relevant parties

a judge and jury the opposition Regulators investors Etc all right and that is over review of Investigations within domain 7 covering the most critical Concepts that you need to know for the exam a brilliantly helpful feature of our cisv master class is that you can have your own personal cisp Mentor who will guide you to confidently pass the cisp exam get completely personalized guidance on how to create a study plan that will work for you have someone there to encourage you and ensure you're on track and ready for the exam learn more about our personalized

mentoring here at desert.com CP [Music]