CCT 312: From Kimwolf Threats To Chain Of Custody: What Security Leaders Must Know

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

Your TV, camera, or even a smart bird feeder can be a beachhead for attackers. We dive into the Kimwolf botnet and expose how low-cost IoT turns into residential proxies that scan, DDoS, and quietly pivot across your home or enterprise network. From weak defaults and exposed ADB to shady apps, we call out the telltale signs and the simple architecture changes that shut the door: dedicated IoT VLANs, strict egress controls, and logging that actually sees what leaves your network.

Then we switch gears into CISSP Domain 7.1 and break down what a defensible investigation looks like when the alarms go off. Evidence collection starts with a mindset: don’t touch originals, document everything, and assume you’ll need to defend the process in court. We cover IOCE-aligned practices, creating bit-for-bit copies with hashes, and when to engage a forensic retainer so you are not building a plan mid-incident. Memory captures, media recovery, network telemetry, and software analysis all play a role in reconstructing the timeline and proving what happened.

Legal readiness sits at the core. We talk about involving counsel early, understanding insurer-approved panels, and mapping out rules of engagement for interviews and device access in your IR policy and onboarding. We clarify evidence authorities—voluntary surrender, subpoenas, and search warrants—plus the three evidence types and how chain of custody preserves admissibility. By the end, you’ll have a clear blueprint: segment IoT, monitor outbound traffic, and run investigations that survive scrutiny.

If this helped sharpen your security playbook, subscribe, share with your team, and leave a quick review to help others find the show.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

SPEAKER_01: 0:25 

Good morning everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is CISSP Monday, and we are going to be walking over various CISSP questions, or not questions, that's just a content related to the CISSP. And today's topic is going to be on domain 7.1, understanding and complying with investigations. So I hope you all had a wonderful Christmas and I hope you all are doing just amazingly well going into 2026. But if you are listening to this podcast, we are now in going into one or 2026. And so I anticipate that if you're listening to this podcast, you are interested in getting your CISSP complete. And therefore, that's why you're here. So we're here to help you in 2026. So, but before we get into the content we're going to talk about today, wanted to do as we typically do, go over an article that's related to cybersecurity leadership, and the overall pieces that are related to the CISSP exam. Okay, so today's article is over the Kim Wolf botnet from Krebs on Security. So if you haven't paid attention to Krebs on Security, it's an amazing article that you can get from him. He's been in the business for quite some time, like 20 plus years, and does a really great job on investigative reporting. Highly recommend him, highly sought after as for as an individual who is can provide that kind of great information that he has. So if you haven't signed up for his newsletters or for his emails, I highly recommend you go do that today. Now the Kimwolf botnet is focused on IoT type devices. And if you can look in at this video, you can see that it's in various countries around the globe, but it's primarily in India, the Middle East, Russia, United States, and some parts of South America. This botnet is designed to take over the your in IoT devices that are within your network. These can include Android TV devices, cheap IoT type devices that are put in your network, such as your picture frames, those types of activities. And then devices with poor patching and weak defaults. So as we talk about so often in CISSP cyber training, that when you go into an organization, you want to go in and change the default passwords of anything that comes in, especially any new application that comes into your organization. And if it has a default password that is like admin or password, you definitely want to get rid of that as soon as you possibly can. Now, how does this thing work? The compromised devices are turned into residential proxy nodes. And so what actually happens is the mothership, let's say it's coming from China or wherever it might be, wink wink, uh, it will then utilize the network that you have. It'll utilize the devices that are on your network, and it utilizes the bandwidth within your network, and it will then target these different whatever it wants to target from a botnet standpoint around the globe. And so it utilizes the devices you currently have as a weapon against whatever they want to use it against. So it's it's really awesome. Um, I mean, I think it's brilliant. We've been talking about, I've been talking about something like this for years that it knew it was going to happen and become more mainstream. And so, well, guess what? It started to become more mainstream. And so therefore, it's happening against your residential systems. Now, how this can be dangerous, obviously, it's it can scan your internal networks, it's also using your internal networks as a DDoS tool or as a botnet of some kind. Uh, it can modify your DNS settings and then it also can pivot to higher value systems within your company as well, or within your home as well. So it's it and then a single infected guest can expose the entire local network. So we've talked about this, and if you listen to uh Security Now or any other of those podcasts and what we've talked about on CISSP cyber training, is that you really truly need to have some level of segregation between your IoT type devices and your internal network. And so these are just if you look in the video, these are some of the devices that are out there that have been compromised, different types of things. You know, you've got little routers, you've got music machines, anything. And they said one of the big key indicators is that if it has a really wonky app uh that you are you log into with your phone, uh that is one of those aspects that you can definitely run into as well. So it's just an aspect where you really truly need to understand what you're installing on your network. Now, my wife, she actually has a bird feeder that has a really wonky app, and it probably is one of those things that's providing this to the the different um the attackers, whoever there are. The great part is that I have that segregated on an internal network. It's VLAN by itself, and it can't touch my other stuff as well. So it's an important part that you do this. Uh, some things also that you want to consider when you see this coming in. If it has ADB enabled by default, you want to turn that off. There's no auto update mechanism, or it's hard-coded with weak credentials. So all of those will be a kind of a key indicator that there might be something that might be nefarious with this product that you're getting. Uh, you can actually, a lot of times this ADB, I mean what ADB is, is it's Android debug bridge. And it will utilize, it's you basically used for device debugging, app installation, and then shell interaction. So they leave this on and they utilize that as their tool to help uh expose more of your internal network. One of the things that they said that was interesting uh in the article is that it becomes the root cause because it can expose ADB over TCP IP 5555, so basically quad fives, uh, instead of using the USB. And it doesn't require authentication when your ADB is exposed over the network. So what it main thing is if you're gonna put this on your network, you should obviously segregate it to its own IoT network. If you haven't done that already, create an IoT network within your network and place all of these IoT devices in there. I would also have uh very strict requirements on what they can talk to the internet. Obviously, some of these things need to talk to the internet, but I would have uh a good understanding of what is actually going out of your overall internet and all what's going out of your network specifically. So some of the things you can do, we talked about is land and trusted zones, guest Wi-Fi without segmentation obviously is extremely high risk. Uh, and then consumer IoT devices introduce enterprise grade threat exposure, and they do because you're now allowing all of these little microcomputers into your network, whereas in the past, you they physically had to have a box. And when I was in the red teams, we actually spent a lot of money creating an APC, you know, and these are this is an auxiliary power type of thing, right? It was a battery backup, and people had them on their computers and their desktops for when power surges went out and they didn't want to lose their data at that time. And so we would actually pull the guts out of an APC and then put in a wireless card. Well, now you are doing that specifically with an IoT device that has internet access. And this thing can be the size basically of a half dollar. There's there's not much to them at all, and they all can be sending stuff to your in out to the internet. So again, it's really important that if you're listening to this and you're a security professional, one, you need to understand where all your IoT devices are within your network. Two, you need to understand have them on a separate network that they're not tied to your overall company-wide network or within your home network. And then three, you need to monitor them and watch them what they're doing. You can set up rules if you have a security operations center, set up rules specifically looking for this type of activity. And I would highly recommend it. I also would highly recommend that if you go to Chat GPT or any of those other LLMs, have them provide you some indicators of something like this. They they can provide you a basically a use case on what you could put into your SOC. So that's a great way, great tool to help you uh make your sock much more effective with these types of activities. Okay, so that is Krebs on Security. Kim Wolfbotnet is stalking your local network. Okay, before we get into our training today, real quick plug for CISSP Cyber Training. Head on over to CISSP Cyber Training and get access to all the free content that I have available for you. I've got self-study essentials, I've got anything you need in there. I've got rapid review, weekly practice questions. I have normal uh over 360 practice questions that are available. Plus, on top of that, you get weekly CISSP questions. So that's another 105 questions that are there and available for you. You get them twice a week. That all comes right to your email, right to your inbox. So it's a pretty impressive situation. It's a lot of great stuff that you can have access to just from a free standpoint, not to include the podcasts and my blogs. Uh so all that is available to you at CISSP Cyber Training. If you need more than that, if you really I get a lot of people calling me and emailing me saying, hey, I need some extra help. I what do I do? Go to CISSP Cyber Training and we have some different options for you there on how to help you get that extra help you need. One from just studying for the CISSP and having a good plan. Or two, if you need some mentorship and what do I do with my career? Which job should I take? Should I look at my resume? What do you think about my resume? How can I be better positioned to take that role to make more money or to get more influence within your organization? I can do that at CISSP Cyber Training. That's the difference between me and many of these other companies. I've done it. I can help you with the CISP and beyond. That's the goal, is I can also help you with understanding what are some of the ways you can look at when you're looking for jobs. So CISSP Cyber Training is more than just a CISSP program. It can help you with your overall cybersecurity plan and career completely. So again, last plug there. Go to CISSP Cyber Training and go check it out. Okay, so this is domain seven, seven. Understanding and complying with investigations. So, as we all know, domain seven is a large domain, and there's a lot of stuff in this. And as I say, people that I talk with, they struggle with all of the different content. So the goal is to break this down into a way that is looking at this from the manager's perspective. So as you get questions that come in, you need to understand the question from the manager's perspective, not from an IT or technical perspective. So evidence collection and handling. There's some key concepts related to this. There's some proper collection of evidence, it is a challenging event, and you really need to have a good plan around it. This should only be accomplished with professional technicians. So what do I mean by that? You need to really have one individual that are good with evidence collection, they understand it, and they've been trained on it, versus having just your new intern come in and hey, I need you to collect a bunch of stuff. The reason is it can go sideways very, very quickly with that thought process because what ends up happening is your uh intern will go and start grabbing things and they may not document them well. They're also, if you go to court, they're the lawyers are gonna chew up your intern because your intern was not properly trained. So you really need to have this accomplished with professional technicians who know what they're doing. It can be done within your own organization, but training is the key factor. Training and documentation. Now, individuals collecting evidence need to be trained on handling. Again, this is it comes down to your uh your case handling, and it's also can in proper case handling can jeopardize your overall legal case. And this is where chain of custody is such an important part. Best to work with a copy of evidence, not the original. That's not best. It it truly is don't work with the original unless you absolutely have to, which should be highly unlikely. Uh, do not use the original data set that you're gonna be using forensics on. I would do recommend a copy of that in case anything happens to it, you haven't touched the original one. Also, when you touch the original one, the the lawyers again will have a field day saying, Well, how do we know you didn't just plant this stuff? You know, you you're just putting it in there because you touched it, you modified it. So do not work with the original, work with a black with a copy. If you if all else fails, then stop. Don't do anything. If you can't work with it, stop, figure out, find somebody to talk to to help you get a copy made. Now, the International Organization of Computer Evidence, IOCE, provides guidance on uh what you should do, and it calls out some key areas that you need to be considering. One, all general forensic and procedure principles must be applied. So you need to understand these forensic and procedure principles. They must be documented. Therefore, in many cases, this is why a third party will be called in to help you do these forensic pieces. Uh, working with a company right now, and we are in the process of getting a forensic company in contract and they're on retainer. So in the event that something happens, they can raise the bat phone, call them, and have access to them immediately. The seizure of evidence should not change the evidence. So as you are you're seizing this evidence, it should not change what evidence you specifically have. And that means you shouldn't have full, you need to have a good plan on how you're collecting this information. When possible, the person seizing the evidence should be trained, and I highly suggest that. It isn't always the case, right? You might have a situation, especially at remote locations, uh, where the person who is collecting the evidence is not trained on forensics. Uh, I've had this happen in various locations around the globe. I've had them grab the information they needed. Now, in this case, I had a procedure for them already defined, and it was very basic. It wasn't really complex. And in today's world, with the various LLMs, you could have a procedure created for you and then just kind of tweak it to what you might need. And I sent that procedure to them saying, do these things. And the cool part about it is if they they have a procedure, they go do those things, they set it where you want. It really truly helps alleviate a lot of the issues with the lawyers. And again, you're coming down to lawyers. You're gonna have to think about what was a lawyer gonna kind of challenge me on related to the evidence. And if you had a good plan, you have a good place, and you have good procedures on how they should handle it, it will go a lot better for you in the court of public opinion as well as when you're dealing with the judge. All seizure, so seizure, storage, et cetera, must be fully documented, and then one person is responsible for all actions taken regarding digital evidence. You cannot have two people, no two cooks in the kitchen. You can't have it. You gotta have one person who is responsible for everything. If one person has to pull on the information, has to go look at it, and you need to send in a technician to go do it, you then have the one person has the approval, the approval rights to go do that specific thing. So again, one throat to choke, not multiple cut cut chefs, chefs, chefs, chefs in the kitchen. Um any agency responsible for seizing evidence must follow these principles. And that means any agency or any person must follow these principles. Uh, it's very important that you follow these to the letter as that are as well as defined as they are not they are. If you do not have them well defined, then you need to make sure that you bring in a third party to potentially help you with this. When you're dealing dealing with media analysis, you need to have identification and extraction of the data. How are you going to do that? And what is the media that you're going to be analyzing? Is it magnetic media? Does it like a hard old school hard drive where the platters are there and they're spinning? Do you have the tools necessary to be able to recover the information? If the media itself is in a state that's not usable, uh, do you have a third party that can actually pull data off of those platters that maybe it doesn't work? So I've I know in Kansas, as an example, where I'm from, there is an investigation team with what we call the KBI, which is our Kansas Bureau of Investigations. You can send them in the event that there's a criminal investigation, you can send them the hard disk platter, you know, the basically the regular hard discs that are spinning. And if it has been hit with a hammer, they can actually go in, pull the platters out, and then they can see if there's any information they can pull from those platters. That doesn't mean they're going to find anything. It truly doesn't. They could be they're just totally smashed, but they do have the capabilities, they have a clean room, they have all those aspects where they can actually pull this thing apart and then start looking at the data inside it potentially. There are companies out there that will do that for you if you need that level of investigation. Now, just knowing that that'll probably set you back 10 or 15 grand just to do something like that, and there's absolutely no guarantee that they'll be able to find anything. So you have to just weigh out is it really worth it? Is the juice worth the squeeze? So that's what you got to ask yourself. Um, in-memory analysis, this is where you're collecting contents of memory using a trusted tool. It's important that you have a tool that you define for in-memory analysis. So this is where tools will go in and dump the memory of a specific system or even a chip and place it on a different device. We've seen this with RAM chips. Uh there people can actually pull some data off of the RAM after it's depending on how it was shut down, and it didn't need a chance to get rid of the information that was on it. The dump will contain all contents collected in memory, which may be a lot or maybe a little. Uh, and then you should compute a hash of the dump for authenticity. So basically, as you dump the information, you put it in a on a some sort of storage media device, you then create a hash for that media to make sure that it is clear of what you've created. You it basically gives it an immutable that it is a uh a copy, a hashed copy of what you currently have downloaded. So you need to think about that when you're dealing any sort of in-memory analysis. Again, if I'm going over your head and you're going, I don't understand this, the point of it is you pull in a forensic specialist for it. But you, as a CISSP person, need to know this content because as you can see, I'm pulling up stuff that I've had to do. And in the CISSP, this is things that you will have to understand and know because if depending on what organization you go to, you will end up dealing with something like this on a weekly or monthly basis. Network analysis. This is where it depends on the uh prior knowledge of the event. So you need to understand what happened. And this comes down to your IPS, your flow logs, your firewalls, any sort of span ports you may have, any sort of packet filtering you may have in place. All of those things are on your network. You need to understand where they're at. You need to understand which ones you want to use. Uh, and then the logs that are created, do you have a good plan on what logs are stored and for how long are they stored? So much of this depends on knowing your overall network and then knowing where the event occurred. The problem with this, the challenge, so the challenge is in many cases, if you have, if it it's been some time since the actual incident or event had occurred, those logs can be hard to ascertain or grab. And the reason is is because in most cases, logs are probably overwritten every seven days, depending upon if you have a regulatory requirement, maybe you've kept them longer. But most logs are kept for a very short period of time. And so that makes it a bit of a challenge. Now the log collection can come off of a span port. And if it comes off of a span port, those are really good because in most cases, if you are actually pulling information off of a span, uh this basically it's it's a tap. Let's think of it this way as you have a firewall that has a span port that's coming off, and it is taking a piece of the it's got a copy of all the information that is flowing through your traffic, not not like your files, but it's more of the traffic information. It's taking that off and putting it into a central location and a storage location. If you had the wherewithal to think of having taken Information off of a span port at the beginning, you probably have a good storage solution in place for it. So you may want to consider that when you're architecting your environment of going, you know what, I need to plan for forensic study in the future. So maybe we need to put a span port in and then have data collected off of that. So again, that's just something you're gonna have to work through with you and your IT professionals unless you are that person. Software analysis, this is where you look for backdoors, logic bombs, or other vulnerabilities that you may find within the software that's there. And then you may need to review vlog files and applications for a better picture. So as we talk about in CISSP cyber training many times around different articles, there was one we did recently just today, but related to the IoT devices and how those are communicating outbound to various organizations as botnets. So you need to understand what software is doing this, and this is the the different kind of network flow maps you would get from network analysis of what's actually occurring on your internal network. So again, that's that is the software analysis part. Now, reporting and documentation, you all investigations need to have a report. Again, document, document, document. And I know it sounds just overwhelmingly foolishness. It's like I gotta have a document for a document, I gotta have a checklist for a checklist. It doesn't need to go that intense, but you need to have a report that is generated from all investigations. And this is the documentation of what you have done and what you have found in the event that something had occurred. Now, this report type will be dependent on the organization's policies and procedures, and the final report does lay the foundation for potential legal action. So you have to really go into this with the eyes wide open to understand if you're doing an investigation, even if your leadership has told you we're not doing legal action, we're not gonna go after this, go into it with the attitude that yes, legal action will be occurring. The reason I say that is I have seen it so often where the person, the analyst or the engineer who is pulling this information, heard from the CISO or from even the CEO that you know what, we're not gonna be doing an invest, we're gonna do an investigation, we need to figure it out, but we're not gonna proceed legal action because I don't want to spend the money or the time to do it. Well, then all of a sudden, about halfway into the event, they go, Yeah, you know what? Why don't we do this? Why don't we look to see if we get ready for some sort of legal action? And then you have to backtrack if you can even backtrack. So always go in the attitude of you're gonna go with legal action. Think of it as if you're going to court, your bottom's gonna be sitting on a seat, they're gonna be asking you questions about what actually occurred, and so therefore, you need to make sure that you are protecting that and you are collecting as much information as you possibly can. Now it's imperative that you have a relationship with legal counsel, and this has already been established. If you don't have legal counsel within your company, and legal counsel are lawyers, if you don't have a legal counsel within your company, look at a third party to do so. I actually got a good education recently as I'm looking at insurance for a company I'm dealing with right now, that I'm working as a consultant. And the insurance is cyber insurance, and they have a set of uh law firms that are specifically defined for legal counsel in relation to incidents or investigations. So your insurance carrier may have somebody you can talk to if you don't have them in place. Now, even if you have legal counsel that you have internally, these are not the same legal counsels that you'd want from a forensic standpoint. So work with your internal legal counsel, lawyer, to be able to find somebody that they would recommend for investigations. So again, the insurance companies may dictate some of this depending upon your company and your organization, or you may have a say in it. But I can't stress it enough. Make sure you have lawyers. This has been established and everybody knows what they're supposed to do. Build relationships with law enforcement. This one is squishy. Uh like a lot of things in security, this is squishy. Having a good understanding with law enforcement is valuable, especially if you're going to do a case. And understanding what they're looking for in the event of a situation of an incident is very valuable. Most local law enforcement, your police uh within your jurisdiction, probably do not have the capabilities to help you a whole lot. That isn't always the case, but in many ways they're not. New York City probably does. San Antonio probably does. Uh Wichita, Kansas, I know they do not. They have stuff. They don't have bad, it's not like they don't have anything, but they don't have the level of uh help that I may need in my company. So therefore, it's important that you already build these relationships with them, at least to find out what they have. Uh the law enforcement could also deal with your, in the case of the United States, FBI, uh, but in wherever you're at and what country you're in, something have they have very similar to that. So I would consider working with those folks as well. Uh introduction introductions are extremely valuable and they are important. And like my father told me for many, many years, and I agree completely with him on this topic, not on many other things, but on this one I do, uh, is that it's not what you know, it's who you know. Having a friend that can help you in the event that there's a problem is extremely valuable. Uh, this also comes down to you if you're gonna get into leadership within security. Uh, it's not what you know. It is what you know, but it's more who you know. Uh the again, it's not a buddy system. I don't, I mean, that obviously exists. It's not, hey, I know you, you know me, you wherever you go, I go. Yeah, that that that happens all the time. But that isn't always a good thing either. The bottom line is knowing people is extremely valuable. So that's I'll leave it at that. So investigative techniques, you need to conduct computer security investigations. You will need a team. This cannot be just you, Billy Bob, eh, you. No, it can't happen. You need to have a team of people that can help you. And this needs to operate under the incident response policy. You need to call out your incident response policy, specifically related to incident response or to forensic type activities. The reason is that one, it's defined. Two, leadership is aware of what you're doing. And to include legal counsel, CEOs, CFOs, all the C-suite, you name it. They all know what you're doing. And then you follow the scope prescribed by your overall IR policy. You follow what the methods you're supposed to do, and you meet those methods. So again, it's a very prescribed path, very easy once you have it defined. The hard part's getting started. If you don't have this in place, you don't know what to do. Again, LLMs are important. And I did this when I was teaching my students at Wichita State. They that's just when the LLM started coming out. And my students are going, can we use them? And I said, Yeah. And I was using Python code and I had them use it for Python code, but I also had to use it for policy creation. It is great. It has a it'll help you with your policies. Now, will it get you, you just go copy paste? Well, you can do copy paste. I wouldn't recommend it, but you can. But when you do the paste, then you need to go in and tweak it because it's not going to match exactly what you need. And you need to understand what policy you're actually creating. So just copying a policy and throwing it out there saying, hey, we've got it, we've got a cybersecurity, a septical use policy. Uh you okay, that's great, you have it, but if you don't even know it's in it, that doesn't really count. So you need to have use utilize the LLMs to help you create an instant response policy and the forensics piece to it. Then go in and tweak it for what you want to do. The rules of engagement should be clearly defined. Both law enforcement involvement, questioning of employees, all of that should be well defined. And if it's not defined within the policy, such as questioning employees, it may be defined within your onboarding procedures. I had a section in our onboarding procedures of all new employees that there was a relationship to logging and monitoring and forensics analysis. And the point was that if there's an issue, I'm going to be looking through your stuff. So don't get upset about it. Don't get your panties in a bunch, don't be a don't be a big Karen and going, oh no, no, don't do that. No, you can't do that. You you definitely you want to be able to have that defined in what's going on, and you want to make sure that they understand what it is in the somewhere. Whether it's in their onboarding book handbook, whether it's in some sort of policy that you have out there right now, they need to be aware that you'll be questioning them and looking at their stuff. Gathering evidence, there are three different types of options for gathering evidence. One is a voluntary surrender of the information. This provides evidence is based on request. So again, they they go, hey, uh, I need some information from your computer. Yeah, okay, cool. Here you go, duh. Here you go. You can have it. It's all yours. Uh subpoena, this is where a court order by law enforcement is done, and then you have to give it up. This provides sufficient notice. They don't they give you a subpoena, say, you got 30 days to give up your info. Um, and then therefore you have to give it up. So that's where the court is telling you to go do that. A search warrant is limited to only the situations where evidence is needed immediately. So, for example, if you had some information that was on a person's personal computer and you felt that it was properly that could be destroyed or deleted, uh they would then issue a search warrant immediately. Uh very sad case is where you have dealing with kitty porn, something along those lines, uh, where that information is extremely fresh on the computers and it can be deleted and wiped very quickly. If there's law enforcement has any indication of that, they can then storm the house, come in, confiscate everything in there, uh, and they'll have a search warrant to do so in those situations. Uh that's a terrible thing that occurs with this situ this stuff. And the fact is that there is you need the ability to go in and grab this information as quickly as possible. I've seen some of this in my time, and the sad part is you see it, you can't unsee it. And it's just terrible. It's terrible stuff. And so, therefore, that is why it's imperative that you have good options to gather this information as quickly as you possibly can. So you have voluntary surrender, subpoena, and search warrant. Uh again, depending on the country that you live in, some of those may be a little bit modified, uh, some of them may not even exist, depending on the situation where you live. Uh, I if you're in North Korea, yeah, they're probably no search warrant. They just come in and grab everything. They don't really care. They don't have to tell you anything, they just come do it. They don't have to have a lawyer or a judge or anybody involved, they just snag it. Uh, so again, those are the three options for gathering evidence. Now, there's different types of evidence. So you have admissible evidence. This is relevant to the fact, uh, the relevant to determining a specific fact. And it must be material or related to the case. So if you have a computer that has kitty porn on it, um, it would say, okay, in this situation, it has that on it. And therefore, we're going to admit this as a fact to this case, and it must be material to it. You can't go and sit there and go, I'm going to uh bring this person's um Xbox 3. Well, that wouldn't be work because it's a computing device, let's say, um, their record collection, right? I'm going to submit their record collection as material for this case on XYZ. Well, then that doesn't count, right? That wouldn't be material. There's there's nothing to do with a person's record collection. But it anything that deals with with a IT type system could very well be material. Xbox, like I just mentioned. Uh, I've seen these seen individuals utilize uh different small type IoT devices to search the web, thinking that by doing so, it would actually hide or obfuscate what they're doing. Uh, it just, yeah, that part does maybe from their wife, but it won't obfuscate from the people that are searching for those specific IP addresses because it still comes back to them. It still will. Uh, so again, that must be material related to the case, must be competent or obtained. And that therefore, it must be have the ability for it to be obtained from that organization and it must be admissible. Types of evidence. So you've got real evidence, which would be a weapon, DNA, etc. Uh documented evidence, which is written notes, like you have a notebook that says your passwords, it says, hey, I'm gonna put all this information on the C drive under this specific uh path. There it's where it's at. Or you have testimonial evidence where you know what you a co-worker said, hey, I saw Bob and he was stealing IP and he was shipping it to China, and I saw him do it. Uh, so therefore, uh I am admissible as a potential evidence, is that Bob, he saw Bob do this. So those are different types of testimonial evidences that are available. So you get real evidence, documentary evidence, and testimonial evidence. Now, the chain of custody piece of this, I'm and I'm gonna be doing uh a cyber CISSP cyber training on chain of custody in the future. Uh that's you understand how does chain of custody work specifically, just tied specific to chain of custody. And this is where, again, course of chain of custody is imperative that you take something like this if you're gonna be dealing with cyber type forensics activities. You need to understand the chain of custody process. It is imperative. Uh, because if you understand it, then it's much easier so that you can, like we mentioned earlier, you don't have to deal with the lawyers and some of the things come back saying this doesn't work. Labeling and evidence logs. You need to truly have a good labeling and evidence log path set up. You need to do that ahead of time. You don't want it on a sticky note. You want to have how are you labeling? What is what are the key terms that you're labeling? What are, and this has to be consistent. So if you have a document, you have a hard drive, and you state, this is where it was located, this is the date that it was located, this is when I grabbed it, this and my name, these are the things that you would put on that label, right? And there might be some other things that you want, some notes, but bottom line is you want a consistent methodology that you're putting on a label. And then on that label, every time you get a piece of evidence, you do the same exact methodology on the next piece of evidence. You don't want a handwritten sticky note saying, hey, Sean grabbed this yesterday. What is yesterday? Why did Sean grab it? What is it? Where'd he get it from? All of those things are not in there. So it becomes real quickly would not be ev uh admissible because you don't know if he grabbed it from his home or if he grabbed it from the trash can. So it's imperative that you have that plan. And then each person handling data must sign a log. The log must be fine, signed by the individual, must be signed and have available to legal counsel as they see fit. This has to be an unbroken sequence of events. So, as an example, you've seen the movies, right, where they have the police have the place, the evidence collection point where they have a dude that sits back behind, or maybe a dudette, sits back behind this gate and they go, You're gonna drop off evidence, you sign a log, you drop off the evidence, you tag it right, right? And then there's the bad guy, the bad cop behind the fence, and he's like, Hey, here you go, here's here's some stuff. And he he or she takes that information, takes whatever it is, drugs, whatever, and they pass it out the door and they don't sign the log. Okay, so that when that stuff kind of happens, then everything falls apart. So you need to have an unbroken sequence of events that Sean took his hard drive, gave it to the bad cop behind the fence, wrote it down. The bad cop behind the fence wrote it down that he was there and he took it, and he puts it on where he where he puts it was somewhere else, and that's all done. Right. And then when you go to get it, bad cop behind the fence gets it for you. So you sign for it, you take it, then you take it to where you're gonna go. Again, there's an unbroken sequence of events in this process, and you need to have that well defined. I've worked with lawyers, you're gonna have this situation where you'll this the guy behind the fence kind of thing may not be a guy behind the fence because you're not gonna pay somebody just to stand there. But what you're gonna do is you would have a room set up with a beep beep, you know, with those basically RFID, lock-in, lock out kind of things where you bring up your card and you go beep beep and let you in. Uh, you would have a log on the door. Uh that dog, the log would have a camera, you'd also have a camera, and then you would have write down what you did when you went in, you grab what you're gonna grab, and then you come out and you write the log as well. And there's cameras inside as well, seeing what you're actually grabbing. So that would be another way that you would have an evidence locker specifically, and this would all then also have set to logs that would go that would be audited on a very frequent basis. So as you can see, this would be very expensive very quickly. But if you're gonna file a lawsuit, you're gonna want to put all of those things in place. So just kind of start thinking about chain of custody and what's important. Again, CISSP Cyber Training, I'll I'll do a course on that. I've been saying I want to do a course, I just need to get it done. Uh, but chain of custody is an important part. You want to make sure you have a good plan when you're dealing with it uh before you have to actually deal with it. Okay, so that's all I've got for you today. Thank you so much for joining me at CISSP Cyber Training. Again, head on over to CISSP Cyber Training. Lots of great content's available for you. Uh listen, I appreciate y'all listening to the podcast. I get people hitting me up all the time, all the time, that they've passed the CISSP. They're super excited about doing that, but they continue to listen to the podcast because of the fact that there's really good information that comes out related to security and your overall plan with your cybersecurity career. All right, have a wonderful day, and we will catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a flip through the copia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 363 CISSP questions to help you in your CISSP journey. Thanks again for listening.