This preview shows page 1. Sign up to view the full content.
Unformatted text preview: .indd 890 12/4/2009 11:39:11 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 891
on behind some abnormal system activity, while another employee would just respond,
“Oh, that just happens sometimes. We don’t know why.”
The investigator could identify suspicious activities, such as port scans, attempted
SQL injections, or evidence in a log that describes a dangerous activity that took place.
Identifying abnormal activities is a bit more difficult, because it is more subtle. These
activities could be increased network traffic, an employee staying late every night, unusual requests to specific ports on a network server, and so on. As an analogy, if a
mother of a teenage boy smelled smoke on his jacket, she might suspect he had taken
up smoking. If the teenage boy, who usually plays Xbox games all night, starts going to
the library every night, the mother would notice this abnormal activity and, upon
snooping around, perhaps discover her son has a new girlfriend he is meeting at the
park each night.
On top of being observant, the investigator must understand forensics procedures,
evidence collection issues, and how to analyze a situation to determine what is going
on, and know how to pick out the clues in system logs. Different Types of Assessments an Investigator Can Perform
• Network analysis
• Communication analysis
• Log analysis
• Path tracing
• Media analysis
• Disk imaging
• MAC time analysis (Modify, Access, Create)
• Content analysis
• Slack space analysis
• Software analysis
• Reverse engineering
• Malicious code review
• Exploit review ch10.indd 891 12/4/2009 11:39:11 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 892
The Forensics Investigation Process
To ensure that forensics activities are carried out in a standardized manner, it is necessary for the team to follow specific laid-out steps so nothing is missed and thus ensure
the evidence is admissible. Each...
View Full Document
This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.
- Fall '12