If the teenage boy who usually plays xbox games all

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: .indd 890 12/4/2009 11:39:11 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 891 on behind some abnormal system activity, while another employee would just respond, “Oh, that just happens sometimes. We don’t know why.” The investigator could identify suspicious activities, such as port scans, attempted SQL injections, or evidence in a log that describes a dangerous activity that took place. Identifying abnormal activities is a bit more difficult, because it is more subtle. These activities could be increased network traffic, an employee staying late every night, unusual requests to specific ports on a network server, and so on. As an analogy, if a mother of a teenage boy smelled smoke on his jacket, she might suspect he had taken up smoking. If the teenage boy, who usually plays Xbox games all night, starts going to the library every night, the mother would notice this abnormal activity and, upon snooping around, perhaps discover her son has a new girlfriend he is meeting at the park each night. On top of being observant, the investigator must understand forensics procedures, evidence collection issues, and how to analyze a situation to determine what is going on, and know how to pick out the clues in system logs. Different Types of Assessments an Investigator Can Perform • Network analysis • Communication analysis • Log analysis • Path tracing • Media analysis • Disk imaging • MAC time analysis (Modify, Access, Create) • Content analysis • Slack space analysis • Steganography • Software analysis • Reverse engineering • Malicious code review • Exploit review ch10.indd 891 12/4/2009 11:39:11 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 892 The Forensics Investigation Process To ensure that forensics activities are carried out in a standardized manner, it is necessary for the team to follow specific laid-out steps so nothing is missed and thus ensure the evidence is admissible. Each...
View Full Document

This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.

Ask a homework question - tutors are online