Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our evidence analysis and handling module. Evidence is material that is presented to a court and a judge or jury to prove the truth or falsity of a certain fact. Best evidence will directly prove that an individual who's been charged with a crime was either negligent or responsible for committing that crime.
In order for evidence to be submitted in court it must be authentic, accurate, complete, convincing and admissible. The chain of custody of evidence is very important. If the chain of custody is not maintained properly then the evidence may not be admissible in court. The chain of custody should describe who obtained the evidence and secured it.
Where this individual found the evidence and when it was obtained. Who had control of the evidence or possession of the evidence. As well as where the evidence was stored. You basically need to maintain the security of the evidence, from the time it is collected all the way until the time of the trial, when you bring that evidence into court.
So you need to make sure that someone is watching this evidence, or it's physically secured for that entire timeline. If you're not able to account for the evidence proportion to that timeline, it will most likely not be eligible to be admitted as evidence in court. For this reason, evidence is generally stored in a monitored vault which is protected by alarm systems or video surveillance systems or both.
And these rooms generally have electronic access procedures that log who comes in and who comes out of the room. The evidence life cycle is the journey that a piece of evidence takes from the time it is collected until the time it is no longer needed. Evidence is collected, identified, and protected.
Evidence will generally be labeled with a case number, the location that it was collected, and it will usually be protected by being stored in some type of tamper proof bag with an evidence seal that is generally signed by the individual who collects it. When we are analyzing evidence, we first make a forensic copy or an exact duplicate of that evidence, and then we analyze the copy of the evidence rather than the original.
This helps to protect the evidence from being destroyed or tampered with because it is only out of the vault for a short period of time while we're making a copy and any other time it is stored securely. The evidence must be stored in an area where no one can tamper with the evidence, and there must be a procedure in place to detect tampering, such as tamper-proof seals that indicate that no one has attempted to open, or damage the evidence.
The evidence must be preserved and protected from extreme temperatures, humidity, water damage and other types of damage. And evidence must be transported without delay to your secure facility. For example if you collect several pieces of evidence and store them in your trunk of your vehicle, you would want to take that evidence directly to secure storage.
You would not want to stop for a meal and leave the evidence in the car because someone could tamper with that evidence. Eventually the evidence will need to be presented in court. The individual who examined the evidence will generally provide artifacts located on the piece of electronic media.
As well as their opinions of how that piece of evidence got there and why it is important to the case. Once the case has been concluded the property will generally be returned back to the victim or the owner. Unless the owner was the perpetrator of the crime in which case the evidence is generally forfeited so that the individual does not have any further rights to that evidence.
During the digital forensics process, an examiner will analyze the types of evidence that are available to them. This could include analyzing RAM, or random access memory, the storage area in the computer that is used for temporary storage, and that is erased when the computer is powered off. Hard drives or solid state drives in a computer that are used to store the user's data and programs, CDs and DVDs or Blu-ray disks, which are commonly used to store data.
And any external storage devices, such as USB flash drives, USB portable hard drives, SD cards, etc. The examiner should also consider reviewing any available back-ups. If an individual delete a data from a computer, but the computer was backed up recently before that data was deleted, the examiner maybe able to find this critical evidence in the backups.
Backups could be either located on the internal hard drive, on the external hard-drive connected to the computer, on the network, or even in the cloud, so examiners should be sure to investigate to find any potential back ups. The examiners responsibility is to make sure that no changes whatsoever occur to the original media whether it's a hard drive, or an SD card Or a USB flash drive.
The examiner will use special hardware known as a write blocker to prevent their examination machine from making any changes to the suspect's original media and they will also use special hardware and software tools to make exact copies of the evidence for later analysis. Examiners can also examine data that may be available on the network.
Routers, intrusion detection systems and firewalls generally store log information which may be helpful especially if they attack, or the incident involved the use of, the network. They can review this data to see if any exfiltration occurred or outgoing traffic where an individual was stealing data from the network.
And they may also be able to recover evidence from the internet service provider or the ISP depending on the type of information the ISP stores. It is also important to make sure that everything is still properly configured because an intruder could have modified the settings in your network equipment in order to avoid detection and you want to prevent further attacks. So it's important to make sure that all of these settings are restored to their original configuration. You can also analyze the system and the software contained on the system looking for viruses, email messages, files, log information, time stamps, metadata, which is just data about data such as who created a Word document and when it was last edited.
Web servers can also maintain good information about an incident, browsers contain internet history which can be very helpful as well, if you try to figure out what an individual was looking at at the time of an incident. And software locks can help to determine what actions an individual took once they access the piece of software without permission.
Hashing algorithms allow us to create digital fingerprints for files. We can use a set of known operating system hash values to ignore those files when we're conducting our investigation, because we know that every system with Windows 7, for example, would have a copy of that file and there's no reason for us to investigate it.
Computers are not the only source of valuable information in a case. Smartphones are also a great source of evidence because individuals commonly carry these phones with them and store large amounts of data on them. You can find photos, call logs, and contacts that may be helpful to your investigation.
And there are special forensic tools that can even recover deleted information cellular devices and tablet computers. You should not turn off cellular phones or tablets, however you should place them in airplane mode to prevent Individuals from remotely wiping the devices or any content from being modified before you conduct your analysis.
Also by turning on airplane mode, the devices battery life will be extended so you will be able to keep it powered on for a longer period of time. You could find encrypted data, or password protection on devices, there are special tools that can decrypt data, or try to brute force attack the password by trying all possible combinations, but these types of technologies can take a significant amount of time to decrypt the information.
Your best source of this information is to ask the user for their password and they may give you the password. Flash memory is also a great source of information. You can find information on an SD card that's embedded in a cell phone. Or a USB thumb drive that's perhaps on the desk near the computer that you're seizing.
Even when an individual deletes information from a piece of flash media it can often be recovered. You may need to use an advanced forensic process such as chip off forensics were you actually remove the chips from the device's circuit board and use a special reader to read the content directly off of the chip.
You should also not forget about traditional evidence that could be located on devices, such as fingerprints or DNA. If you have an individual who claims that they do not own a computer that is D7-04 - Evidence full of criminal evidence, or that they've never seen it before, you can fingerprint the computer's keyboard, mouse, or other surfaces, in order to determine if there are any fingerprints or DNA located on the device.
It will be hard for the user to claim that they did not touch the device when their fingerprints are all over it. In order to provide the best fingerprint and DNA evidence, you should always wear gloves when handling evidence so that you do not contaminate it with you own fingerprints and DNA evidence.
Ediscovery or electronic discovery is the production of court ordered, electronically stored information for use as evidence in a case. You're required to produce all of the data that has been requested if you have the data available. If you are not able to produce the data, you may be required to perform digital forensics or hire an individual to do a forensic examination In order to find records that may have been deleted but are still recoverable.
It is important you maintain an electronic inventory and make sure you control your assets. And you should have a documented policy for these types of activities. For example, what types of computers and other devices do you have, where are they located and who controls them? It is very important that you have data retention policies in place.
You should have clearly defined policies, which indicate the types of data that needs to be stored and for how long the data should be stored. And also documentation of how you're enforcing these policies. You should only maintain data beyond the retention period if you are required to do so by court order.
For the CISSP examination, you should remember there is no reason to keep data past the period of time specified in your data retention policies. You should also make sure that your data is being backed up and that you can recovery it. Who is in charge of backing up the data, and how frequently do they do this?
When is this information no longer recoverable? And remember that that is different from when it is no longer forensically recoverable by an expert. With eDiscovery, you will only be expected to deliver the data that you have in your possession. You should remember that the data owner or the manager is responsible ultimately for the data so these individual should be careful to make sure that everything is being processed correctly and in accordance with your policy.
You should also make sure that all of your data is properly labeled and properly handled and you should have policies in place for this. If you end up in court, you may be required to prove that you were handling data correctly beyond a reasonable doubt. And this is why documentation is critical.
This concludes our evidence analysis and handling module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!