CCT 062: Decoding Digital Evidence - A Comprehensive Guide to Forensics, Legal Concepts, and Ethical Implications (Domain 7.1)

cct cissp domain 7 Aug 14, 2023

Ready to demystify the world of digital evidence in cybersecurity? What if you could easily navigate the complex protocols that safeguard system logs, network logs, and files? This episode promises to enhance your understanding of digital evidence, and its undeniable fragility. We deep-dive into why maintaining the chain of custody matters and the key to ensuring the integrity of these critical pieces of information.

Ever thought about the art and science of digital forensics? We break it down, from data collection that leaves the original form untouched, to the vital role of analysis in reconstructing incidents. We share insights on creating comprehensive reports for all audiences, and the best practices for presenting findings to all relevant parties. Listen in as we guide you through the four key phases of digital forensics: acquisition, analysis, reporting, and presentation.

But that's not all. We also delve into the legal and ethical minefield of digital evidence collection. We dissect the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, Data Breach Notification Laws, and the importance of Chain of Custody. We expose how these considerations play out in real-world scenarios. Towards the end, we focus on the significance of digital evidence in CISSP domain seven, seven dot one, and offer free resources to help you ace your CISSP exam. Make sure you've got your pen and paper ready for this information-packed episode.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to and sign-up to join the team for Free. 


Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all this is Sean Gerber, with CISSP Cyber Training, and I hope you guys are all having a wonderful day. Today. We've been working for my wife in her Kona Ice franchise a little bit and we've been able to go out and serve people as it relates to shaved ice. I don't know if I have a lot of students that are from all over the globe and you may not know what that is, but basically it's a food truck that has shaved ice that we share with lots of people during the summer months. It's something that a lot of schools will use and it's something that is kind of a tradition here in the United States, but my wife has a food truck, so that's what I have been doing. I've got business, I have to work tonight, I have business on Thursday and then I think, just basically two weeks this week, but then tonight I have a CISSP community call that we have for our members. That's going to be occurring at about 7.30 this evening, so in US time. So that's the plan for tonight. But what the plan is right now is I'm actually going to be going over digital evidence and how that's important within the CISSP. This is aligned with domain seven around 7.1. We're talking digital evidence collection, and so there's going to be getting into various aspects around digital evidence and the importance of it. Now, when you are in a cybersecurity space and you are going to be working for an entity, you're going to need to understand the purpose behind collecting digital evidence. Now your company may have someone who does this specifically for your organization. So your company may have a person who will push out the software, who will maintain chain of custody, who will understand all of the nuances behind collecting digital evidence. But you also may go work for a company that does not have that, and I would say most companies that you go work for, unless they're a very large multinational, probably do not have this capability built into what they provide. So you may be the person who has to have best knowledge around digital evidence and the maintaining of that. One from. You got to pass the CISSP and it will probably be called out on the CISSP exam and then also, you're going to need to understand this in the event that this happens within your organization and you have to start collecting logs, you have to potentially have legal actions and so forth. So that's kind of an overview of what we're going to talk about today and the purpose was behind it. Now, what is digital evidence? Now, it's the information that can be extracted from a computer system or a digital device used in a court of law. Now, this can happen in the United States, it can happen in the Netherlands, it can happen pretty much anywhere. Right Now, the amount of information that is needed to be able to put, garner or to be able to have available for the court of law, for the court that you're working in, will vary from location to location, but overall, the concepts are very similar whether you're in the United States or you're in another location around the globe, and you need to make sure that you keep this data in a protected environment. Now, the reason I say that is the data is typically very fragile. Now that doesn't mean it's going to break when you pick it up and it's going to fall apart. That means, though, that when you get a piece of digital evidence, a little piece of log data that you get from a device, it is very easily manipulated or tampered with, and if you don't have proper protocols to ensure that it was protected or deleted basically, if you don't have proper protocols in place to help you, guide you through this process you could end up having a situation where you go to the court, you present your information, and the court the prosecution or the defense, depending on which side of the house that you're on will tear apart your evidence because you did not follow proper procedures in collecting it and maintaining it. They'll basically say something happened to it, so, since it's so fragile, it can be modified, destroyed or potentially even rendered unusable, and so it's really important that you have a plan on how you're going to properly handle your evidence that you collect. Now, there are various types of digital evidence, and we're going to go over just the main six that you'll end up dealing with. You have one. You have system logs. Now, these are the logs that show user activities. They also can show changes to the system, any time stamps for certain activities and when they happen, and then there's a lot more that can be added into the overall system logs. They really are an important source when you're looking at tracing unauthorized access or changes to the system. Now, not all system logs are kept for a very long time, but they usually all have some level of logging. Network logs show the network activities that occur. Now. This could be IP addresses that are connecting in sending data out. This includes timestamps and this includes the potential protocol that is used. If you're using SSL, if you're using FTP, if you're using any sort of protocol that is being connected to that machine, it will highlight that protocol. Now, it may not say the specific name of the protocol. It may say port 53, which obviously would be DNS, but it's going to give you that there are ports involved as it relates to the network and what's coming and going from that system Files. They also can contain a variety of information. Most people utilize emails for connections and for communication, so that's where malicious content can come in. This is also, if you're dealing with an insider, the data that leaves and this person then attached that data. The files themselves. These store the documents, the images, the databases and so forth. And then these these actually can be checked for tampering. Now they'll have date timestamps as well, and they'll also have metadata that is associated with them. They may have malware as well, but there's lots of different things that a document or a file may come in with. The other one is memory dumps. In some cases, you, an investigator, may be able to get a snapshot of the memory or the RAM. Now, understand that RAM memory is extremely volatile, and so, therefore, you may or may not get much out of it, but depending upon when it was shut down, depending upon if the investigator has the tools to be able to pull memory from RAM, that could be an option for you as well. So it just a lot of. The RAM is one of those likes. It's like the cherry on top, it's extra. You usually get very little out of RAM, but sometimes you can get something very, very important out of the RAM memory. Mobile devices again, smartphones, tablets these all can be a wealth of information as relates to the data that's coming and going from your network. Another thing that we I try to work really hard in protecting against is the various applications that are on a network. So you've got your WeChat, you've got your Google drives, you've got anything that is providing a connection outbound, whether it's a traditional app or whether it's an API connection. All of those can be used as some form of digital evidence as well. Now, the importance of digital evidence is really in an invaluable piece of information when you're doing a modern investigation, because so much of our daily activities take place on digital devices, and I've read an article where it said around 70% of users will utilize their mobile phones over a normal computer, and I believe that completely. That is a big part of my life Now, even though I'm recording this on a laptop. The interesting thing is is that I was on my phone last night during my event, when my Kona event with my daughter was actually she was one that was selling the shaved ice. I was able to look online for some aspects for Kona that I wanted to do for her business, my wife's business and I was on the mobile device. I was using my laptop a little bit, but it wasn't as easy to do that, so the mobile phone itself is a valuable tool. Now. These devices can provide a trail of digital evidence that can be analyzed and potentially used, obviously, in the court proceedings there. You'll see various tools out there that can go and potentially pull data off of phones. Now, if you go to a movie and you'll see that someone just plugs something into a person's phone, trying to pull the data off of it, there are tools out there that can do that. However, from a security standpoint, the biometrics that are associated with a standard phone are pretty solid and they are one of those that you're not really necessarily going to get away from. If you know the person's obviously their passcode, or if you know their biometric, you know you have their face and they're able to unlock their phone. Yeah, once you get it unlocked, then all bets are off. But just trying to break into someone's phone, the tools that are out there that can potentially help in that space are extremely expensive and they can do it in some rare instances, but in most cases, the amount of there are no tools out there that can actually break through your passcodes that you have on your phone, which is a great thing, right? We want that private level of privacy to protect us. Now, the process of gathering, gathering evidence does need to be very meticulous and it needs to follow very specific protocols to ensure that you maintain the integrity of the data itself and of the overall process. So, as an example, as you go into a court of law and you're sitting in the court and you did not have a very good method by which you were extracting this data and maybe it changes from one situation or one scenario to the next the attacking defense or the prosecution can make a point and say well, if, how do you know that you did it right this time? So you say you did it this way and you say this evidence came from this device. But every time you do it, when we asked you on a cross examination, you did not give us the same answer on how you pull the data off of that device. So what you're saying is you have multiple ways of pulling it off. There's really no standard way that you try, no theoretical format that you go through. You just kind of try whatever works and if you do that, you're probably not going to be able to use that evidence in court. And again, I'm not a lawyer. Everything I'm telling you here I'm not a lawyer, I'm not giving you legal advice by any stretch of the imagination. I'm just trying to tell you it's from a forensics and admissible court issue. You could run into problems with your evidence because the fact is that you did not follow a standard path in a standard format. Now, when it comes to digital evidence, the challenges that are associated with this, there is a lot of things that come into it. One is a large volume of data that needs to be gone through I mean, it can be overwhelming and that can be extremely challenging when it comes to just trying to figure out what is something you want to put into court and what you want to actually talk about. The other thing is the data can be changed or deleted or modified, and because that can happen, because it's so volatile, because it is so fragile, then you have to have that same set of very specific criteria by which you store it and which you then retrieve it. It's very possible that when you go in to deploy or send this data into your repository, if you copy it in the wrong method, you could end up corrupting the file and giving it, potentially putting the wrong extension on it, and now it's not usable. It's a very strong process you have to follow if you're going to try to put digital evidence into a storage locker or storage location of some kind. Another challenge that's involved is the fact that the technology as it's changing so quickly. It puts data in various locations. So what does that mean? Well, okay, so say, if you buy a laptop that is an Acer laptop, you in most cases it has Windows installed on it. Windows puts its log files in certain spots. The Acer laptop it may have its system logs in a certain location. Then you buy a MacBook. Well, the MacBook has a different OS. So now you're dealing with that OS puts its logs in a certain location and the Mac hard or laptop stores its system files in a different location. And then you buy a. Someone buys a phone that is maybe a knockoff or one of these more, these throwaway type phones. Where do they keep their logs at? That isn't typically in a standard location. A lot of times it's based on the actual manufacturer of where they store the logs. So you might be in a situation where, since they have these various logs that are that are created from all these devices are put in places where you just probably don't have. You don't know where they're at. So it's really important that you understand that when you're getting this data in, you're going to need assistance. You're probably going to need somebody that does this for a living to help guide you in the direction of where the data is stored Highly. What this highly would happen, or what would typically happen, that's not really a word. What this would typically happen is, if you needed someone to come and do the evidence collection for you, you probably would hire a third party to actually follow through with the chain of custody with proper protections of the data. You probably would not be you that's doing this. Now, again, depends on the company you work for, but you most likely would hire a third party to help collect all this information. But you, as a security professional, need to understand how do you, once that you get that information, what do you do with it? You also need to understand how this process works so you can challenge people to ensure that they're doing it the right way. So, again, you are most likely not the person collecting the information off of these individual devices, but you're gonna be the person that's going to accept it once it's done. And if that's the case, you really need to understand how it is being accomplished. So now, when you're understanding that kind of topic, we're talking about is digital forensics. When you're talking about digital forensics, you need to understand what is forensics. Now, if you look on TV, there's all kinds of shows out there about some sort of CSI this and forensics that, and it all varies from country to country location to geographic location, but overall, cyber forensics is the process of identifying, preserving, analyzing and presenting digital evidence in a legally admissible manner. Now, the purpose behind this, though, is it's not only for detecting and responding to attacks. You must keep this data as legal evidence to prosecute individuals who may have perpetrated this act against your organization. So you really need to understand what is this forensics thing? How does it work? Well, there's phases of digital forensics, and there's really four key phrases phases. Now. The four key phases are acquisition, analysis, reporting and presentation. So, again, the four key phases are acquisition, analysis, reporting and presentation. Now, acquisition this is the first step of the overall journey, and it's designed for you to help collect the various information from sources like hard drives, servers, cloud storage, mobile devices you name it. It's designed as the acquisition piece of it, and gathering all this information up Now it can be done in a way that does not. It must be done in a way that does not alter the data from its original form. One piece of information or guidance around this is if you collect any data. That is like, say, you take a server, you pull the server, you have it. There's something on the server when you're doing any sort of forensics of that server. The recommendation is now again, I'm not a legal person give you legal advice. I would recommend you find someone with legal advice on how this is to be done from their standpoint. I'm just giving you advice based on my little limited knowledge that I have is a lot of times folks will actually make a copy of that overall system. By making a copy of that system, they now can end up you do whatever data you can do scanning on. You're actually doing it on a system that could potentially be a mistake, could be made, so you're making a clone of that system. So it's really important that you kind of figure that part out and potentially do that. Now, when it comes to analysis, this is the stage where forensics analysts review the data, looking for specific patterns, activities and any potential evidence that they may be able to acquire and be used in court. Now the goal here is to reconstruct the past events and understand the nature of the incident. So, like you see on TV and these various law things you want to be able to get this evidence and look at it in a way and rebuild what potentially occurred. When did the malware come in? When did Bobby click on the malware? What did the malware do? When did the malware send data outside your organization? How much data was sent out of your organization? Where did it try to connect to? All of those aspects are things that you can start pulling out of the analysis phase of the forensics. Now the next one is reporting. Once this analysis is complete, a detailed report is generated and summarizing the overall process. Now, understand the analysis aspect can take some significant time. It may this will not happen overnight. Now you may have a situation where this scanner is working on a, just a server itself, so you pulled that server. That alone may take process of days for it to determine what's actually on that system. If you give it to a third party, they may want days with it as well as they go through their overall process. So again, understand that you this is not going to happen overnight. Now this report should be as we talk about here at CIS's Peace Ever Training. You should build this at the third grade level. So what does that mean? It needs to be understandable to non-technical people and must clearly present the chain of custody and the steps taken to ensure that you maintain the integrity of that data. So, basically, what it comes down to is is you need to be able to break it down so that, if there's a, I'll give you an example. I did a tabletop exercise with a location and I walked through this tabletop and as I was going through this tabletop, I had some IT slash, very little bit complex terms that were on this tabletop, and these terms that were on this tabletop one of the individuals is. English is not their first language, first off. Second, they ended up they looked at this IT stuff right, that's really basically what it was and they said I don't understand what that is supposed to tell me, and so the point of around this all is is that you have to break it down to a level they understand. Now, it was good to have that technical data in there, but one of the pieces of feedback that was actually really valuable was the fact that I didn't have it in a format that they could truly understand. So you need to make sure, whatever report you create for a digital forensics, you have it in a format that people can understand and it's actionable for them. The next one is presentation. Okay, so when you in this phase, the analysts must present their findings to the necessary parties. Now, this could be the legal team, this could be law enforcement, could be internal management, could be whoever, but you need to have the ability to present this to individuals the remaining people that need to have this information. You must present it in a way that makes total sense. Now, I've had various situations where companies I've worked with have been have had issues, right, you've had an event that occurred and then, in this event that occurred, you ended up going through and you said you went through how it was found, where did the data come from, who was the attacker? All of these aspects. That's the same concept. Now, whether it's a fully digital forensics kind of report or whether you are walking through the overall timeline of how it occurred, you're going to have to break it down in a way that is extremely easy to understand. Do not make this over complicated. We, as technical folks, think that because we're technical, everyone else is technical and therefore we build it at a level that we feel, okay, that's a much easier method to read, right. So I've said this to myself. I'll build a presentation and I'll say, yeah, I can understand that If that's a pretty simplistic look at it, I think I'm good. When you think that, break it down one more, because every time I think that it ends up being too complicated for the person that I work with. Now we're going to get into a kind of readiness planning. So forensics readiness planning involves ensuring the organization or the company you're working with has the required tools and the processes and, finally, the policies to make or to basically place and conduct an assessment or a forensics investigation. So you need to have in place these various the apps that you need for it. You need to. What is the process in the event that? Okay, so say, you get something, comes in and says Bill copied a bunch of data and shipped it to wherever, uploaded it to wherever. You have to have a process going. Okay, how do I seize that device? How do I go through and start collecting that information? You have legal, you have HR, you have compliance folks, typically, that you will have to work through. You cannot just go in and grab it, right. The CEO comes up to you and says hey, sean, we have a problem with the computer and we need you to grab it. Okay, I would not recommend doing that. I would recommend talking to your legal, talk to your compliance, talk to your HR, talk to the right people involved before you go and grab that computer. The reason I say that is is there might be some sort of HR type activity where you have to give notice. Depending upon the location where you're at, you may have to tell the employee hey, I got to take your computer. You can't just be surreptitiously going out and grabbing people's computers. You may have to actually follow a process and you should have a policy in place on how to actually do that. I hope that makes sense. Do not, as the IT person See, they're going to come to you as a CISSP and you are the person they're looking to. Don't just go out and grab that computer. Now. This includes when you're coming to writing this planning. It also includes your staff, your chain of custody, suitable storage locations where you're going to keep it. What is the processing power to handle large amounts of data? So say, you get gobs of data you've got to go through. Do you have systems that can deal with that? And then, do you have a detailed incident response plan in place. Lastly, your digital forensics tools. They're I mean not lastly, they're the next one I should say there's one or two more right, or one more, so there's three total. So when you're dealing with digital forensics tools, there are numerous tools available that you can use. Now, some of the popular tools that I've dealt with is in case I've worked with in case before, I've worked with FTK and then more of a little bit lower level, which it works really well but most people don't consider it a digital forensics tool is Wireshark. There's another one called Autopsi, autopsi, I can't whatever. When someone dies you do an autopsy. There you go, autopsi, that's the other one. So, in case, ftk, autopsi, Wireshark those are some various digital forensics tools that are out there that you can use. Just know, a digital forensics tool is not inexpensive. It is expensive, typically like in case when I was working some of those aspects, that was like $100,000 just for the licensing. Now I'm sure they have lower tier options available, but just know that getting a digital forensics tool can be a bit expensive. Now challenges when you're dealing with digital forensics, again, it's a complex field with numerous challenges evolve. It's rapidly changing. There's encryption, there's data volumes, there's anti forensic techniques. You have actually have your biometrics that are on phones. There's also legal and ethical considerations, like we talked about earlier. You must consider when you're dealing with digital forensics of some kind. You need to understand what are the local laws around forensics and the collection of data. This is where it's important to get good of guidance and advice from your HR, legal and compliance folks. Again, your good forensics process must be flexible and adaptable to meet any challenges that you run into. Okay, so here's some legal concepts and terminology as it relates to digital evidence. So we talk I hear me talking a lot about chain of custody. The chain of custody refers basically to the chronological or the order of documentation of the evidence. This is showing the seizure, the custody, the control, transfer, analysis and then the overall eventual disposal of the evidence. It's crucial that you have this integrity chain already defined and you have it well thought out, because in the event that something happens and you start grabbing data, are you following your chain of custody? If you don't follow a chain of custody, it does potentially put that evidence being submitted into court in jeopardy. It doesn't. Now I say that it doesn't mean it can't be presented as evidence. It just runs the risk that your, the counter, the prosecution or the defense could look at your process and say we don't want to include it as evidence because this person didn't do a good job. So that's an issue that you can run into. Any breaks in the chain of custody again could make your evidence inadmissible in court, and that's a key point. Legal hold Now. Legal hold is a process in which an organization will keep the data because litigation is probably likely, which basically means if you think you have a situation where an employee and they were doing something wrong and you think there is the possibility that this employee there may be legal actions against them, you may want to put the information that they have in legal hold, which means it's put off to the side. You have to hold on to it as it could be used in a future legal battle, and so therefore, you must keep it in a protected environment in the event that it's needed. Now, in terms of digital evidence again, this could be maintaining email archives, it could be preventing or deletion of files or even retaining specific versions of the software that may be relevant to the case you're putting on. Now I've had to deal with legal hold multiple times, and legal hold basically means I have the lawyer reaches out and says any data that you had, any emails, any communications, any data that was collected off of this server with any communications with this individual all of that is all kept aside and stored in a location where I can readily pull it up and that potentially could be admissible in court. Do you want to make sure that, if that's the case, you don't delete those files? Another point that is really important is if you did delete any files let's say you had, you'd didn't know this legal hold was coming. You deleted a bunch of files. Then the legal hold comes in. You need to make sure that you go out to your deleted section and you look for any files that could potentially be there related to the case. So again, you got to look everywhere when you're pulling these files in and putting them in a specific location. Admissibility of evidence what is that? Well, digital evidence has to be admissible in court, which basically means the court's just not going to allow anything to be dropped in there to really muck it all up, to mess up the proceedings. So it needs to be relevant to the case at hand. So, as an example, if Bill Smith is sending his information out and he sent company information to a location in China and you'd have the logs for that. You have the details that he sent. You have all kinds of information about Bill Smith. But because Bill Smith communicated with Jenny Jones, you then went out and grabbed all the information on Jenny Jones. You didn't just grab the information where he sent specific type information to Jenny, you just grabbed everything. Well, that would probably all of Jenny's information probably would not be admissible in court because it may not be relevant to the overall case. Now, if there was an email or if there was data shared with Jenny that was relevant to the case, yes, that would be admissible. But in the case of that specific scenario that I just said, most cases Jenny's information would not be admissible in court because it's not relevant. Now you also need to understand that the material that you're planning on bringing in it also must be able to be reliable. It must have the ability to have authentic. It must be authenticated, it must be authentic, it must have the integrity, must be verified. All of those parts need to be followed to make sure it could be admissible into court. Now it also must be collected and handled again following very legal procedures. One, you should have them documented. Two, you should have legal look at them. Three, you should make sure legal looks at your chain of custody and that you have that established. And then you must follow that overall process when collecting this information. You can't just say, hey, bob, go grab that. Go grab Bill's phone. Now if Bob didn't get any sort of detail from the lawyer saying, hey, bob, I need you to go pick up this phone, based on our policy we have, bill cannot use his phone for personal use. Well, okay, you have a policy set, you situated, you have legal that has said go collect it. Okay. So then you probably have communications back and forth that are under attorney client privilege. You probably have you know specifically what phone to go get and then you have that process already defined. That would be a situation. And then you have the order that's stating from your lawyer to you, to Bill, to go pick it up. So then all of those things can be put in court where they can show that, yes, the lawyer told Bill to go get it. Bill went and got it. Bill came back, sent an email, put it into the vault, documented how he put it in the vault, and so there is just basically that entire process by which you were able to collect the information that would be making it allow it to be admissible as evidence. The next term is hearsay. Now, this is refers to an out of court statement that is offered in court as evidence to prove the truth of the matter asserted in the statement. So what does that basically mean? What basically means that you made some comment outside and you basically said that I'm trying to think of an example where you had a situation where I can't even come up with one, but you basically you said that Bill has mentioned on his phone that he sent a picture or sent a copy of the company's super secrets to Fred. He made that comment, or you heard somebody with that comment. That would be a hearsay. That would be. You heard somebody say it. You then are going to turn around and put that into court, right? So, as it relates to digital evidence, when you're dealing with an email or text message, this could be considered as hearsay, right? So if you have a text message from somebody, that could fall into the hearsay bucket. Now, in such as digital communications, they do fall under exceptions to the hearsay rule, making them admissible in court, whereas when you're coming to, sometimes you may say something. You may overhear a third party make a comment that, yes, I plan on going to kill Bill. Well, is that going to be relevant for your case? Maybe, maybe not. I don't know. If Bill got killed, then maybe that would be. But if you hear that and Bill doesn't die and no one's actually after Bill, maybe not. Again, the point of it is is that you're dealing with emails or text messages. Because they're not directly coming from the individual, they could be admissible in court because they are a digital communication and they're more of a written evidentiary kind of thing. Again, the rules can be around. Hearsay can be complex and vary by jurisdiction. Again, throwing out the plug, I'm not a lawyer, so you need to go find a lawyer if you really want to get this information, or you can even look it up, obviously on chat, gpt, because it is a lawyer and it will tell you what to do. No, but what I basically come down to is you need to make sure that you understand your environment before you go out and start just grabbing data. Now the CISSP is going to get into different aspects, but they're going to be focused more on what is hearsay mean? What does admissibility of evidence mean? They're not going to get into jurisdictional type activities, so don't get too far into the weeds around what that is specifically saying, because it won't really help you. There's the Daubert standard. This is a test. What's used to determine whether expert witness testimony is admissible. Now consider factors like testing, the peer review of methods used, error rates, existence of maintenance records, standards controlling operations. Again, it's a very. It's designed to help kind of determine if a witness testimony would potentially be admissible. And so you might get that question that comes up is what is the Daubert standard? And now this happens in the United States federal courts, which obviously, if you're trying to take the CISSP in Netherlands, that will probably not make a whole lot of sense. So what should you do? Just memorize the point, okay. So if it comes up you can kind of break it down, and if you don't know the answer again, throw out the ones that you know for sure are false and then at least break it down to a point where you feel confident you can make a good educated guess on the question. Next one is a FRI standard. This was before the Dahlbert standard and this was used in US courts to determine the admissibility of scientific evidence. Okay, so the evidence in question must be generally accepted by the scientific community. So really, what it comes right down to is is if you came up and said I believe quantum mechanics allows you to do time travel, well, that probably would not be accepted by the scientific community, so therefore it would not necessarily be admissible into court. Whereas if there's something saying yes, the Sun throws out heat towards the earth, it takes three days to get here and then if you're outside too long and you don't have sunscreen on, you will fry, okay, that's probably accepted by the scientific community, so therefore it would be acceptable in court. Okay, but again, that's. Those are very generic and third grade level kind of conversations. But that's trying to drive the point home. Now. A note I want to bring home here on this is that even though digital evidence is used in a legal context, it's not enough for the evidence just to be collected and analyzed for it to be admissible. You must also meet the appropriate legal standards for it to be used effectively in court. Basically, you need to have legal advice on how you do any of this. Don't just go out and try to go rogue and just think I can collect this because I watched CSI on TV. Do not do that, that you will not be happy or your legal team and your CEO probably will not be happy with you if you do that. So now we're understanding ethical implications of digital evidence collection. So what are we talking about here? So, as we're talking about the various aspects of legal and ethical implications, we're going to understand. There's really five main considerations. So first one we're going to get into is understanding privacy laws. Then we mentioned in the CISSP and you can go to CISSP cyber training and you can get some more context around this. But there are various privacy laws available to you. So you have the GDPR, your general data protection regulation. This is in the European Union. You have the California Consumer Privacy Act, which is CCPA. You have the Privacy Act of China, which is called PIPL. It's a personal identifiable privacy legislation. I think that's what it is. Pipl. Those are all privacy type laws that are in place to help protect the consumers, protect the state, but bottom line is they call out what is privacy and what can you do with the data and what can't you do with the data. Violating these laws, especially during evidence collection could lead to significant penalties and even render your evidence totally admissible in court. So you must. This isn't, it's a dance, let's just put it this way. You cannot just go out and grab information. This is why legal compliance and HR are so important, because when you're going to collect evidence, I'm asking my compliance folks is this under a privacy standpoint? Is there anything I need to keep in mind? Do we need to let them know? All of those pieces need to be followed, because if you don't, you could put yourself again in a fine. You could put yourself in a situation where the data is not even admissible in court. So you do need to understand privacy laws. As a security professional, short of dealing with cybersecurity as a whole, I'm dealing with privacy a lot, and you will deal with that as well. The Computer Fraud and Abuse Act Okay, so this is one that based on the United States, obviously, and the CISP, as you all know, is kind of slanted towards the United States. There aren't a lot of questions that focus on the US, but they are in there. But when you're dealing with the Computer Fraud and Abuse Act, most countries have a very similar type of legislation. It obviously won't say the exact same words as this, but as countries are getting into more of this cybersecurity, they are trying to push into how do they make changes to their legislation to help deal with the overall data and the digital environment. So this is the. The CFAA makes it illegal to intentionally access a computer without authorization and this act is relatively old. I mean it's new, but it's also old. Before the CFAA there was the Wiretapping Act and there was also where they used Morris Code. You know the teletype, I can't think of the name of it. But the bottom line is the CFAA is it was put in place to try to help as we're going through these various digital devices. How to deal with legal issues. Now the law has implications for digital forensics and evidence collection, as unauthorized access during an investigation obviously could have legal consequences and it could throw your evidence out of court. So what does that mean? That means if you grab somebody's phone, you plug it into one of these scanners and you suck down all the evidence on it. If they didn't give you the authority to do that, if they didn't say you could go do that, you can't do that and anything that you take from that phone or that device will be inadmissible in court, which basically means it's a. The person was an individual who liked to go out and pluck feathers off of ducks and you wanted you had a cruelty to animals case and you got his phone or her phone and you saw him or her physically plucking feathers off of ducks and you wanted to admit that into court. Well, because you didn't ask their permission, you can't admit it. So that person will continue plucking feathers off of ducks. It's because you didn't do the right job, but that's a very generic term, right? Obviously, that is a simplistic, childish kind of thought process. Unfortunately, very unfortunately, there's a lot of bad stuff that people do with their phones and with their devices that hurt people. So therefore, it's imperative that you do this right so that you can collect the right evidence in the event of something bad might happen. I've got a friend that does digital forensics and they deal with all kinds of things related to children terrible, terrible things and so you don't. When you have a case like that, you do not want to lose that evidence. So therefore it's imperative that you do it the right way, because you don't want it to be thrown out because you didn't did it the wrong way. The Electronic Communications Privacy Act. This is a US Electronics Communications Act that protects electronic communications, including email, from all the authorized surveillance and disclosure. I say that, but there's also lots of other things that happen in the United States where people collect data on us. I think your country's probably the same, so you got that Protection Act, but then you also had the Patriot Act, which kind of circumvented a lot of these other acts and allowed it to collect information on people. But the Electronic Communications Privacy Act is one. Another one is a Data Breach Notification Laws. In the event that there's a data breach, you're going to have to notify people, and there are sometimes regulatory bodies that will have to be notified in the event that you're dealing with personal data that has been breached. Chinese have this right. If you have data that has been breached within China, there are situations where you may have to tell people that this occurred. So therefore, you need to understand what are the laws in your jurisdiction about privacy and around data breach notification. There might be require faster reporting in some of these than others. I've had one where you had to give a 30-minute notification of any indication of a breach. That's impossible, right? Because what does that mean. Those are pieces that you're going to have to work through. And then the last thing is ethical considerations. When you're dealing with digital evidence collection. Now, these can include respecting privacy, ensuring transparency, also obtaining informed consent when necessary. Again, you may have to have consent to be able to collect those logs. Now, what typically I've seen in the past is when a person comes on to an organization, they will sign documentation saying that you are being monitored and therefore, by signing this, you allow evidence to be collected in the event of something that could happen. That's usually the best time to do it, however again, not a legal person but you need to figure out what is best for you and your organization. You need to be transparent with people that you're telling them that you're collecting data. That doesn't mean you need to tell them I'm collecting user name, I'm collecting the type of computer I'm to collecting the time. You don't have to tell them all of that, but you do need to have legal advice on what exactly you're going to collect and let the people know. In most cases, you have to let them know what you're collecting on them, but if you do it at the beginning, people forget. They don't really know. They kind of expect it in some cases. So you just make sure you have those policies in place to protect both the individual because, again, at the end of the day, we really want to protect people from other people and from other situations. We're not trying to get people basically put entrapped people. That is not what we want. We want to protect our individuals. We want to protect our company and protect the data that you are being entrusted with as a security professional. All right, that's a lot, but when it comes right now to it, it deals with digital evidence. There's a lot of things in there. Now this is a guy on domain seven, seven dot one of the CISSP. If you want more information, you can go to CISSP cyber training and there's a lot of information out there for you. If you're studying for your CISSP and you have questions or you want to study questions for it, you can also go to free CISSP questions and log in and you'll get access to 30 free CISSP questions every single month to help you study for your CISSP exam. That'll come to you every month. You're basically going to become part of my organization, of the training that I have, and you will get every month 30 more questions that will be dropped into the bucket that you can then go access. All right, I hope you all had a wonderful day and I hope you enjoyed data when it comes to data of digital forensics. But that's all I got for today. We'll catch you on the flip side, see ya.


CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!