Skip to main content

Computer Crime and Investigations

CISSP mainly focuses on US law.

A computer crime is a violation of a law or regulation directed against or directly involving a computer. Some types of computer crimes include:

Military and Intelligence Businesses Financial
Terrorist Grudge Thrill

Electronic discovery

Organizations expecting lawsuits have a duty to preserve digital evidence in a process called eDiscovery.

Information ID and Governance
Setting the scope of what data should be collected and ensuring the right guidelines are followed.

Preservation and Collection
Actively saving and accumulating relevant digital data.

Processing, Review, Analysis
Filtering the accumulated data, checking its relevance, and drawing conclusions from it.

Production and Presentation
Making the processed data available and showcasing it effectively, usually in court.

eDiscovery often employs tagging, classification, and targeting specific custodians.

Gathering information in investigations

To adequately obtain information from equipment, software, and data, the following is essential:

Possession:
You must have possession of the equipment, software, or data to analyze it and use it as evidence.

Modification:
Ensure evidence is acquired without any alterations or allowing alterations by others.

Law enforcement uses a "chain of custody" to document everyone who handles the evidence.

Alternatives to Confiscating Evidence:

  1. Voluntary Surrender: The evidence owner willingly gives it up for an investigation.
  2. Subpoena: Compels the evidence owner to surrender the evidence.
  3. Search Warrant: Useful for seizing evidence without giving the owner an opportunity to modify it.

Many incidents are discovered post-occurrence. Without preserving critical log files for an adequate duration, valuable evidence may be lost. The reasonable retention period varies based on data sensitivity, asset value, and any regulatory requirements. Always define data retention in security policies.

Evidence

For CISSP, evidence is mainly in the Proof we can obtain. 

  • Best Evidence: The original piece.
  • Secondary Evidence: A duplicate.
  • Direct Evidence: Validates or refutes an act based on sensory perception (e.g., sight and hearing).
  • Conclusive: Indisputable and takes precedence over other types, e.g., a clear footage of a crime.
  • Circumstantial: Derived from ancillary data, e.g., a cake missing from the fridge and crumbs on the counter.
  • Corroborative: Reinforces other evidence, but isn't solid on its own, e.g., fingerprints found at multiple crime scenes.
  • Opinions: Expert and Non-expert views offered to back a claim or viewpoint.
  • Hearsay: Not based on direct experience, e.g., someone saying they heard a person admit to a crime.

For evidence to be impactful, it must be relevant, complete, adequate, and trustworthy.

Evidence Admissibility

Types of evidence permissible in a court trial:

  1. Real Evidence: Tangible items presentable in court.
  2. Documentary Evidence: Written records shedding light on the facts.
  3. Testimonial Evidence: Oral or written accounts by witnesses.

For evidence to be admissible, it must be pertinent to the case, materially significant, legally gathered, and reliable.

Collecting Evidence

On detecting an incident, immediate evidence collection is crucial. Gathering as much data as possible is pivotal for potential legal actions or pinpointing the perpetrator's identity. This can also help gauge the magnitude of the damage.

Proper evidence collection can be instrumental in both preventing future incidents and ensuring justice is served.

Back to top