Understand and Support Investigations

Conducting investigations for various purposes is an important function for security professionals. One of the important aspects of cyber security is understanding and supporting investigations.

CISSP candidates should know all the fundamentals of collecting evidence, documenting this investigation, reporting the information, performing root cause analysis, and even performing digital forensic tasks. In fact, successful conclusions in investigations depend heavily on proficiency in these skills.

Evidence Collection and Handling

Evidence is information presented in a court of law to confirm or dispel a fact that’s under contention, such as the commission of a crime, the violation of policy, or an ethics matter.

Properly gathering and protecting evidence is one of the most important and most difficult tasks that an investigator must master.

With evidence collection, documentation is fundamental.

A digital investigation deals with collecting, preserving, and producing the evidence that pertains to computer crimes; and it is also called digital forensics.

To ensure consistency of data, the organization should have an incident response policy that outlines the steps to take in the event of a security incident. This policy must include key details such as how employees report an incident. So it is clearly that organization should have an incident response team that is aware with the incident response policy.

Types of Evidence

  • Direct evidence: Oral testimony or written statement by an eye witness proving or disproving a particular fact or issue.
  • Real (or physical) evidence: Tangible objects from the actual crime, such as the tools or weapons used and any stolen or damaged property. May also include visual or audio surveillance tapes generated during or after the event.
  • Documentary evidence: Includes originals and copies of business records, computer-generated and computer-stored records, manuals, policies, standards, procedures, and log files. In fact, most evidence presented in a computer crime case is documentary evidence. Also the hearsay rule is an extremely important test of documentary.
  • Demonstrative evidence: Used to aid the court’s understanding of a case. Opinions are considered demonstrative evidence and may be either expert or non-expert.
[rev_slider alias=”Advertisement-1″ /]

Reporting and Documentation

Reporting phase must begin immediately upon detection of malicious activity.

There are two types of reporting focuses here: Technical and Non-technical reporting.

The prerequisite for having a technical report is that the incident handling teams must report the technical details of the incident as they begin the incident handling process

Non-technical stakeholders including business and mission owners must be notified immediately of any serious incident and also kept up to date as the incident handling process progresses.

More formal reporting begins just before the recovery phase, where staff prepares to recover affected systems and place them back into production.

An investigation’s report is usually includes the following:

  • Incident investigators. (It must including their qualifications and contact information)
  • Names of parties interviewed. (it must including their role, involvement, and contact information)
  • List of all evidence collected, including chain(s) of custody.
  • Tools used to examine or process evidence, including versions.
  • Samples and sampling methodologies used, if applicable.
  • Computers used to examine, process, or store evidence.
  • Root-cause analysis of incident, if applicable.
  • Conclusions and opinions of investigators.
  • Hearings or proceedings.
  • Parties to whom the report is delivered.

Investigative Techniques

These are the techniques used to find out the causes of incidents.

This process is also known as the root cause analysis. A root cause analysis requires in-depth examination to determine what happened, how it happened, and how to prevent the same thing from happening again.

An example for root cause: A user clicked on a malicious link in an email.

In all cases, proper evidence collection and handling is essential. Often, teams are formed to determine the root cause of the incident.

Also, you should be familiar with the general steps of the investigative process:

  1. Detect and contain an incident
  2. Notify management
  3. Conduct a preliminary investigation
  4. Determine whether the organization should disclose that the crime occurred.
  5. Conduct the investigation (This include three activities: Identify potential suspects, Identify potential witnesses, and Prepare for search and seizure)
  6. Report your findings

Digital Forensics Tactics, and Procedures

A primary goal of Digital forensics is to prevent unintentional modification of the system. Digital forensic medicine must investigate a computer accident to determine exactly what happened, and who is responsible for it. Therefore, acceptable legal evidence must be collected to be used in subsequent legal proceedings, such as criminal investigations, domestic investigations, or lawsuits.

Proper digital forensic analysis and investigation requires in-depth knowledge of hardware, operating systems (including computer mobile and each device which has operating system), applications, databases, and software programming languages, as well as knowledge and experience using sophisticated forensics tools and toolkits.

The types of forensic data-gathering techniques include

  • Hard drive forensics: It include Last known state of the computer, History of attempts by the user to remove evidence, History of files accessed, History of web sites visited by a browser, History of files created, History of programs executed, and History of files deleted)
  • Live forensics: It include running processes, Communications traffic in/out of the computer, currently open files, Keystrokes, and Contents of RAM)

Forensic investigators use a scientific method that involves

  • Determining the characteristics of the evidence (For each piece of evidence, it must be determined whether it is a primary evidence or a secondary evidence). Evidence must also be used that is reliable and stable.
  • Comparing evidence from different sources to determine a chronology of events.
  • Event reconstruction, including the recovery of deleted files and other activity on the system.