Index

Note: Page numbers followed by “f” indicate figures, “t” indicate tables and “b” indicate boxes.

A

AAS, See Associate of Applied Science (AAS)

Abstract model of digital forensic procedures, 161, 161f

Accept risk, 231

Acceptable activity, 105–106

AccessData Certified Examiner (ACE), 178

AccessData Mobile Phone Examiner (AME), 178

Account information, 11

ACE, See AccessData Certified Examiner (ACE)

ACFW, See Advanced Computer Forensic Workshop (ACFW)

ACPO, See Association of Chief of Police Officers (ACPO)

Action plan, 67

Administrative controls, 88

Administrative governance foundations, 99

assurance controls, 101–102

evidence handling, 101

evidence storage, 100–101

incident/investigation response, 101

personnel, 100

Admissibility, 85

See also Legal admissibility

Advanced Computer Forensic Workshop (ACFW), 179

Advanced Internet Child Exploitation (AICE), 179

Advanced persistent threats (APTs), 3

Advanced Specialty Certificate (ASC), 179

Adverse event, 116

AICE, See Advanced Internet Child Exploitation (AICE)

ALE, See Annualized loss expectancy (ALE)

Aligning requirements, 262

AME, See AccessData Mobile Phone Examiner (AME)

American Academy of Forensic Sciences, 6

American Society for Industrial Security (ASIS), 177

Analytical skills, 136

Analytical techniques, 108–109

anomaly detection, 109–110

misuse detection, 109

specification-based detection, 110

Annual rate of occurrence (ARO), 223–224

Annualized loss expectancy (ALE), 224

Anomaly detection, 109–110

Application oriented, 256

APTs, See Advanced persistent threats (APTs)

Arbitrary regulations, 59

Architectural models, 248–253, 250f

basic architecture, 250–251

with data marts, 251–253, 252f

with staging, 251–253, 251f

ARO, See Annual rate of occurrence (ARO)

ASC, See Advanced Specialty Certificate (ASC)

ASD, See Australian Signal Directorate (ASD)

ASIS, See American Society for Industrial Security (ASIS)

Asset value (AV), 223

Assets, 239

Associate of Applied Science (AAS), 185–186

Association of Chief of Police Officers (ACPO), 37, 98

Assurance controls, 101–102

Attack simulation, process for, 242

Australia, 179

Australian Signal Directorate (ASD), 107b

Authentication, 55

Authenticity, 85–87, 89

Authorization, 55

AV, See Asset value (AV)

Availability, 55

Avoid risk, 228

Awareness, 130–131

B

Bachelor of Science (BS), 185

Bachelor of Technology (BTech), 179

Background evidence, 64

Backup and restoration strategies, 102

data replication, 103

data restoration

from off-line backup media, 103

from online backup media, 103

near real-time data replication, 103

Base discount year, 208

Baselines, 191–192

Basic knowledge, 131

Benefit/Cost Ratio (BCR), 210, 210t

Best-of-breed, 255–256

Black box, 196

Bottom-up view, 253

Brady Rule, 141b

BS, See Bachelor of Science (BS)

BTech, See Bachelor of Technology (BTech)

Business

business-centric focus, 151–152

continuity planning, 118–119

query view, 253

records, 25

requirements, 216–217, 254

scenario, 66

use case, 66

Business benefits, 199–200

Business case document, 293f–302f

Business learning, technical learning vs., 135–136

Business risk, 53–54, 151–152

association, 240

forensic readiness scenarios, 55

assessment, 60–61

demonstrating compliance with regulatory or legal requirements, 59

effectively managing release of court ordered data, 59–60

producing evidence to support organizational disciplinary issues, 58

reducing cybercrime impact, 55–56

supporting contractual and/or commercial agreements, 60

validating impact of cybercrime or disputes, 56–58

threat category to security property relationship, 56t

C

Campaigns, 122, 239

Canada, 179–180

Canadian Internet Child Exploitation (CICEC), 179

Categorizing requirements, 262

CAWFE, See Certified Advanced Windows Forensic Examiner (CAWFE)

CBA, See Cost–benefit analysis (CBA)

CBE, See Certified BlackLight Examiner (CBE)

CBK, See Common body of knowledge (CBK)

CCCI, See Certified Computer Crime Investigator (CCCI)

CCE, See Certified Computer Examiner (CCE)

CCFE, See Certified Computer Forensics Examiner (CCFE)

CCFT, See Certified Computer Forensic Technician (CCFT)

CCTV, See Closed caption television (CCTV)

Cell Phone Seizure and Analysis (CSAC), 179

Cellular forensics, 6

CEO, See Chief executive officer (CEO)

Certified Advanced Windows Forensic Examiner (CAWFE), 178

Certified BlackLight Examiner (CBE), 178

Certified Computer Crime Investigator (CCCI), 177

Certified Computer Examiner (CCE), 178

Certified Computer Forensic Technician (CCFT), 177

Certified Computer Forensics Examiner (CCFE), 178

Certified Forensic Computer Examiner (CFCE), 178

Certified Information Forensics Investigator (CIFI), 178

CFCE, See Certified Forensic Computer Examiner (CFCE)

CFO, See Chief financial officer (CFO)

Chain of custody tracking form, 283f–285f

Chain-of-evidence model, 79f

CHFI, See Computer Hacking Forensic Investigator (CHFI)

Chief executive officer (CEO), 144b–145b

Chief financial officer (CFO), 144b–145b

CIA triad, See Confidentiality, integrity, and availability triad (CIA triad)

CICEC, See Canadian Internet Child Exploitation (CICEC)

CIFI, See Certified Information Forensics Investigator (CIFI)

CIRT/CSIRT, See Computer (security) incident response team (CIRT/CSIRT)

CIS, See Computer Information Systems (CIS)

CIT, See Computer Information Technology (CIT)

Classification scheme, 219–220

Closed caption television (CCTV), 91

Cloud forensics, 14, 133

Cloud service providers (CSP), 64, 70

CMPFOR, See Computer Forensic Examiner (CMPFOR)

Collection of evidence, 37–38

Collection requirements, 73

See also Evidence management

data security requirements, 81–82

evidence collection factors, 75

cause and effect, 77–78

correlation and association, 78

corroboration and redundancy, 79

metadata, 76–77

storage duration, 79–80

storage infrastructure, 80–81

time, 75–76

precollection questions, 73–75

Commercial-off-the-shelf (COTS), 255

Common body of knowledge (CBK), 5

Common process model for incident and computer forensics, 169–170, 169f

Communication, 119, 147–148, 227

analyzing, 228, 230f

identifying, 227–228, 229f

managing, 228–231, 232f

monitoring, 231–233, 234f

reviewing, 233–235, 235f

skills, 136

Comparative analysis, 174

Comparative assessment, 207–213

See also Quantitative assessment

baseline-future scenario gap analysis, 213f

BCR, 210

discounting future value, 207–208

gap analysis, 212–213

internal rate of return, 211

Net present value of net benefits, 210

payback period, 211

PV assessment, 208–209

sensitivity analysis, 212

Compliance staff, 216

Compliance with regulatory or legal requirements, 59

Computer (security) incident response team (CIRT/CSIRT), 46

Computer crimes, 4

Computer Forensic Examiner (CMPFOR), 179

Computer forensic(s), 14

field triage process model, 167, 167f

investigative process, 157–159, 159f

process model, 159, 159f

Computer Hacking Forensic Investigator (CHFI), 177

Computer Information Systems (CIS), 185

Computer Information Technology (CIT), 185

Computer laws, 145–146

Computer systems, 4

Confidentiality, 55

Confidentiality, integrity, and availability triad (CIA triad), 23

Configuration/log files, 11

Constraints, 146–147

Containment, 125

Content awareness, 67–69, 69f

Continuing education establishment

balancing business vs. technical learning, 135–136

digital forensic roles, 133–135

education and training, 129

awareness, 130–131

basic knowledge, 131

functional knowledge, 131–132

specialized knowledge, 132–133

FORZA process model, 133, 134f

hierarchy, 130f

organizations, 129

stakeholder’s role, 129

Continuity, 55

Control expansion, 50

Control logs mitigation, 56–57

Correlation and association, 78

Corroboration and redundancy, 79

Cost–benefit analysis (CBA), 73, 203

for alternative, 208t–209t

comparative assessment, 207–213

phases, 203

problem statement, 203–204

quantitative assessment, 204–214

stakeholder validation, 213–214

workflow, 204f

COTS, See Commercial-off-the-shelf (COTS)

Courses of action, 122, 239

CPTED, See Crime prevention through environmental design (CPTED)

Credibility, 137

Crime deterrent, 50

Crime prevention through environmental design (CPTED), 92

Critical thinking, 136

Cryptographic algorithms, 90

CSAC, See Cell Phone Seizure and Analysis (CSAC)

CSP, See Cloud service providers (CSP)

Cyber law, 145

Cybercrime, 132–133

Cybercrime impact

reduction, 55–56

validation, 56

indirect business loss, 57

mitigating control logs, 56–57

overhead time and effort, 57

recovery and continuity expenses, 57–58

Cybercriminals, 8

Cyclic Redundancy Check, 90

D

Data

breach, 68b–69b

category, 66

data marts, architecture with, 251–253, 252f

exposure concerns, 70–71

files, 11

format, 66

location, 66

origin, 66

owner, 66

replication, 103

restoration

from off-line backup media, 103

from online backup media, 103

security, 49

requirements, 81–82

Data sources, 63

background evidence, 64

cataloging, 64

deficiencies, 67–70

identification, 66–67

preparation, 65

data exposure concerns, 70–71

external data considerations, 70

foreground evidence, 64

forensics in system development life cycle, 71

inventory, 64

matrix, 311f

view, 253

Data warehouse, 247

architectural models, 248–253, 250f

basic architecture, 250–251

with data marts, 251–253, 252f

with staging, 251–253, 251f

design methodologies, 253–254

development concepts, 247–248

implementation factors, 254

best-of-breed, 255–256

business driven, 254

buy or build, 255

eggs-in-one-basket, 255–256

risk assessment, 255

value and expectation, 254

online transaction and analytical processing

differences, 248t

features, 249t

project planning, 256

view, 253

Daubert Standard, 191b

Defense-in-depth strategy, 107

Deficiencies, 67

insufficient data availability, 67–69

unidentified data sources, 70

Detection, 121–122

Digital crime, 3

Digital evidence, 36, 45, 78, 98

Digital forensic certifications, 177

industry neutral certifications, 177–178

vendor-specific certifications, 178

Digital forensic education, 178–189

Australia, 179

Canada, 179–180

England, 180–181

Germany, 181

India, 181–182

Ireland, 182

Italy, 182

Mexico, 182–183

Netherlands, 183

New Zealand, 183

Norway, 183

Scotland, 183

South Africa, 183

Sweden, 183–184

United Arab Emirates, 184

United Kingdom, 184

United States of America, 184–189

Wales, 189

Digital forensic investigation(s), 46

framework for, 166–167, 167f

model, 172f–173f

Digital forensic process models, 17, 18t, 158t

high-level, 21f

phase frequency, 20f

Digital forensic readiness, 151

See also Forensic readiness

digital forensic investigations, 151

do not reinventing wheel, 152

maintaining business-centric focus, 151–152

model, 21, 22f

integration, 114

understanding costs and benefits, 152

Digital forensic team, 30

education and certification, 32

roles and responsibilities, 30–32

Digital forensic(s), 3, 6, 8, 17, 45–47, 177

See also Investigative process models, Mapping investigative workflows

adolescence, 6–7

childhood, 5–6

collecting digital evidence, 10

nonvolatile data, 11–12

order of volatility, 12, 13t

volatile data, 10–11

forensic investigation types, 13–14

future, 7–8

history, 3

importance, 8–9

infancy, 4–5

lab, 32–33

legal aspects, 9–10

model based on Malaysian investigation process, 170–171, 171f

proactive activities, 46

prologue, 4

reactive activities, 46–47

research workshop investigative model, 159–160, 160f

resources, 14–15

Digital Technologies for Investigators (DTIC), 179

Dimension tables, 253

Disclosure costs, 50–51

Discounting future value, 207–208

Documentation, 36

DTIC, See Digital Technologies for Investigators (DTIC)

Dual data analysis process, 170, 170f

Dump files, 11

Dynamic analysis, 195

E

e-discovery, See Electronic discovery (e-discovery)

Economic regulations, 59

Education, 129

awareness, 130–131

training, 49

basic knowledge, 131

functional knowledge, 131–132

specialized knowledge, 132–133

EDW, See Enterprise data warehouse (EDW)

EF, See Exposure Factor (EF)

Effectively managing release of court ordered data, 59–60

EFS, See Encrypted file system (EFS)

Eggs-in-one-basket, 255–256

80/20 Rule, See Pareto Principle

Electronic discovery (e-discovery), 14, 132

Electronically stored information (ESI), 75, 50–51, 59, 132

Emergency room (ER), 123

Employees, 147

Enable targeted monitoring

analytical techniques, 108–110

digital evidence, 105

digital forensic readiness program, 105

implementation concerns, 110–111

modern security monitoring, 107–108

Next-Gen security controls layers, 108f

traditional security

controls layers, 106f

monitoring, 106–107

(un)acceptable activity, 105–106

Encase Certified Examiner (EnCE), 178

Encrypted file system (EFS), 89, 97

End-to-end

cryptography, 97

digital investigation, 162–163, 163f

England, 180–181

Enhanced integrated digital investigation process, 164–165, 164f

Enterprise data warehouse (EDW), 76, 95, 247

Entity relationship model, 256

ER, See Emergency room (ER)

Eradication, 125

Escalation management, 119

functional escalation, 120–121, 121f

hierarchical escalation, 119–120, 120f

ESI, See Electronically stored information (ESI)

ETL, See Extraction, transformation, and loading (ETL)

Evaluation period, 208

Event-based digital forensic investigation framework, 165–166, 166f

Evidence, 23

collection factors, 75

cause and effect, 77–78

correlation and association, 78

corroboration and redundancy, 79

metadata, 76–77

storage duration, 79–80

storage infrastructure, 80–81

time, 75–76

handling, 101

storage, 100–101

Evidence management

See also Collection requirements

evidence rules, 23–25

gathering, 34

operating procedures, 34–38

preparation, 25

digital forensic team, 30–32

hardware and software, 33–34

high-level digital forensic process model, 25f

information security management, 25–29, 26f

lab environment, 32–33

presentation, 39–40

processing, 38–39

Evidence-based reporting, 137

exculpatory evidence, 141

factual reports, 137–138

forensic viability of digital evidence, 137

inculpatory evidence, 141

types of reports, 138–139

written reports arrangement, 139–141

Exculpatory evidence, 141

Exploit targets, 239

Exposure Factor (EF), 223

Extended model of cybercrime investigation, 163–164, 164f

External data considerations, 70

External events, 54

External information sharing, 119

Extraction, 249

Extraction, transformation, and loading (ETL), 250

F

Fact tables, 253

Factual reports, 137–138

FBI, See Federal Bureau of Investigation (FBI)

FCCI, See Forensic Computing and Cybercrime Investigation (FCCI)

Federal Bureau of Investigation (FBI), 146b

Federal Rules of Evidence, 37, 86

File integrity monitoring (FIM), 113

FIM, See File integrity monitoring (FIM)

Financial risk, 54

Florida Computer Crimes Act, 4

Foreground evidence, 64

Forensic Computing and Cybercrime Investigation (FCCI), 182

Forensic readiness, 45, 47–48

See also Digital forensic readiness

benefits, 49–51

cost and benefit, 48–51

cost assessment, 49

implementation, 51–52

scenarios for business risk, 55

assessment, 60–61

demonstrating compliance with regulatory or legal requirements, 59

effectively managing release of court ordered data, 59–60

producing evidence to support organizational disciplinary issues, 58

reducing cybercrime impact, 55–56

supporting contractual and/or commercial agreements, 60

validating impact of cybercrime or disputes, 56–58

Forensic Toolkit (FTK), 15

Forensic(s)

analysts, 30, 135

investigators, 32, 135

managers, 32, 135

practitioners, 118

in system development life cycle, 71

technicians, 30, 135

viability, 99–100

FORZA process model, 30, 133, 134f, 167–169, 168f

Four-step forensic process, 166, 166f

FTK, See Forensic Toolkit (FTK)

Full-disk encryption, 89

Functional escalation, 120–121, 121f

Functional impact, 123, 123t

Functional knowledge, 131–132

Functional requirements, 261

G

Gap analysis, 212–213

Gathering, 19, 34, 193–194

high-level digital forensic process model, 34f

operating procedures, 34–35

collection and preservation, 37–38

identification of evidence, 35–37

GCFA, See Global Information Assurance Certification Certified Forensic Analyst (GCFA)

GCFE, See Global Information Assurance Certification Certified Forensic Examiner (GCFE)

Generic computer forensic investigation model, 172–173

Germany, 181

GIAC, See Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC), 178

Global Information Assurance Certification Certified Forensic Analyst (GCFA), 178

Global Information Assurance Certification Certified Forensic Examiner (GCFE), 178

Global positioning system (GPS), 76

GMT, See Greenwich Mean Time (GMT)

Good conflict regulations, 59

Good faith regulations, 59

Good Practices Guide for Computer-Based Electronic Evidence, 37

Governance

and compliance, 50

document maintenance, 49

framework, 95

GPS, See Global positioning system (GPS)

Greenwich Mean Time (GMT), 76

Guide metadata, 77

Guidelines, 88

H

Hardware for evidence management, 33–34

Heuristical analysis, 109

Hibernation files, 12

Hierarchical, objective-based framework for digital investigations process, 165, 165f

Hierarchical escalation, 119–120, 120f

High Tech Crime Network (HTCN), 177

High Technology Crime Investigation (HTCI), 188

High-level digital forensic process model, 25f, 34f, 38f–39f, 114f

HTCI, See High Technology Crime Investigation (HTCI)

HTCN, See High Tech Crime Network (HTCN)

I

IACIS, See International Association of Computer Investigative Specialists (IACIS)

IACRB, See Information Assurance Certification Review Board (IACRB)

Identification

for data sources, 66–67

of evidence, 35

documenting scene, 35–36

search and seizure, 36–37

securing scene, 35

IEAC, See Internet Evidence Analysis (IEAC)

IISFA, See International Information Systems Forensic Association (IISFA)

Incident handling and response, 115

learn, 126–127

preparation, 115

communication, 119

escalation management, 119–121

event vs. incident, 115–116

plans, 116–117

policies, 116

procedures, 116–117

team structure and models, 117–119

respond, 121

analysis, 122–123

detection, 121–122

prioritization, 123–124

restore, 124

containment, 125

eradication and recovery, 125

order of volatility, 126t

Incident management lifecycle, 113, 114f

digital forensic readiness model integration, 114

high-level digital forensic process model, 114f

incident response—forensic readiness integration, 115f

Incident response team (IRT), 114, 117

Incident(s), 122, 239

management, 49

response, 14, 101

Inculpatory evidence, 141

India, 181–182

Indicators, 122, 237

incidents, 121

Indirect business loss, 57

Industry best practices, references, methodologies, and techniques, 152

Industry neutral certifications, 177–178

Information assurance, 133

Information Assurance Certification Review Board (IACRB), 178

Information knowledgebase, 122–123

Information security, 45–47, 118

controls, 199

management, 25, 26f

framework, 100f

guidelines, 27, 27t, 31f

policies, 26, 27t

procedures, 29

standards, 28, 28t

proactive activities, 46

reactive activities, 46–47

Information Security and Computer Forensics (ISCF), 180

Information Security and Forensics (ISF), 187

Information technology (IT), 118, 132, 143, 216

attorney, 143–144

law, 144–145

Informational data, 248

Informational impact, 123, 124t

Insufficient data availability, 67

content awareness, 67–68

context awareness, 68–69, 69f

Intangible benefits, 206–207

Intangible costs, 205

Integrated data, 247

Integrated digital investigation process, 161–162, 162f

Integrity, 55

checking, 97–98

monitoring, 89–90

Internal events, 53

Internal rate of return, 211

International Association of Computer Investigative Specialists (IACIS), 178

International Information Systems Forensic Association (IISFA), 178

International Information Systems Security Certification Consortium (ISC), 178

International Society of Forensic Computer Examiners (ISFCE), 178

Internet, 145

law, 145

search engines, 123

Internet Evidence Analysis (IEAC), 179

Interpersonal skills, 136

Interviews, 218

INTINT, See Using Internet as an Intelligence Tool (INTINT)

Intrusion prevention systems (IPS), 107

Inventory creation, 218–219

Investigation response, 101

Investigative final report, 287f–290f

Investigative process models, 17, 157

See also Digital forensics, Mapping investigative workflows

comparative analysis, 174

computer forensic investigative process, 157–159, 159f

computer forensic process model, 159, 159f

digital forensic process models, 17–21, 18t, 158t

digital forensic readiness model, 21, 22f

digital forensic research workshop investigative model, 159–160, 160f

abstract model of digital forensic procedures, 161, 161f

computer forensic field triage process model, 167, 167f

digital forensic investigation, framework for, 166–167, 167f

digital forensic model based on Malaysian investigation process, 170–171, 171f

dual data analysis process, 170, 170f

end to end digital investigation, 162–163, 163f

enhanced integrated digital investigation process, 164–165, 164f

event-based digital forensic investigation framework, 165–166, 166f

extended model of cybercrime investigation, 163–164, 164f

FORZA, 167–169, 168f

four-step forensic process, 166, 166f

generic computer forensic investigation model, 172–173

hierarchical, objective-based framework for digital investigations process, 165, 165f

integrated digital investigation process, 161–162, 162f

network forensics, generic framework for, 171–172, 172f

phase frequency, 175f

process model for incident and computer forensics, 169–170, 169f

scientific crime scene investigation model, 160–161, 160f

systematic digital forensic investigation model, 173–174

Investigative workflow, 265–269

broad audit process, 268f

process initiation, 265f

targeted forensic process, 267f

volatile data process, 266f

Investigator logbook, 281f–282f

IPS, See Intrusion prevention systems (IPS)

Ireland, 182

IRT, See Incident response team (IRT)

ISC, See International Information Systems Security Certification Consortium (ISC)

ISCF, See Information Security and Computer Forensics (ISCF)

ISF, See Information Security and Forensics (ISF)

ISFCE, See International Society of Forensic Computer Examiners (ISFCE)

IT, See Information technology (IT)

IT service catalog, See Service catalog

Italy, 182

K

“Keep it cooperative” principle, 29, 102

“Keep it dynamic” principle, 29, 102

”Keep it practicable” principle, 29, 102

“Keep it simple” principle, 29, 101–102

“Keep it understandable” principle, 29, 102

Key contact(s), 201

L

Lab environment, 32–33

LAW, See Live Analysis Workshop (LAW)

Law enforcement, 50, 148

Least privilege access, 96

Legal admissibility, 85

digital forensic program, 85

Federal Rules of Evidence, 86

preservation challenges, 87

preservation strategies, 87

administrative controls, 88

physical controls, 91–93

technical controls, 88–91

Legal counsel, 49

Legal experts, 118

Legal preparations, 50

Legal review

ensure legal resources, 143

laws and regulations, 144

computer laws, 145–146

Cyber law, 145

IT law, 144–145

obtaining legal advice, 146

communication, 147–148

constraints, 146–147

disputes, 147

employees, 147

liabilities, 147

prosecution, 147

technology counseling, 143–144

Legal risk, 54

Legal staff, 216

Level of inflation, 208

Liabilities, 147

Live Analysis Workshop (LAW), 179

Load, 249

Locard’s exchange principle, 8, 9f

Logical investigative process, 265

Login sessions, 10

M

Macintosh and iOS Certified Forensic Examiner (MiCFE), 178

Mapping investigative workflows

See also Digital forensics, Investigative process models

digital forensic readiness program, 113

forensic investigations, 113

incident handling and response, 115

preparation, 115–121

respond, 121–124

restore, 124–125

incident management lifecycle, 113, 114f

digital forensic readiness model integration, 114

high-level digital forensic process model, 114f

incident response—forensic readiness integration, 115f

investigation workflow, 127

Market oriented data, 256

Master of Science (MS), 184

Master of Science in Computer Forensics and Security Management (MSCFSM), 188

Master of Science in Cyber Law and Information Security (MSCLIS), 182

Master of Science in Digital Forensics (MSDF), 188

Master of Science in Information Security Technology and Management (MSISTM), 184

MD5, See Message Digest Algorithm family5 (MD5)

Memory forensics, 14, 133

Message Digest Algorithm family5 (MD5), 89–90

Metadata, 76–77

Mexico, 182–183

MiCFE, See Macintosh and iOS Certified Forensic Examiner (MiCFE)

Microsoft threat modeling, 241

Mind maps, 226, 227f

Minimizing costs, 50

Misuse detection, 109

Mitigate risk, 228

Modern security monitoring, 107–108

MS, See Master of Science (MS)

MSCFSM, See Master of Science in Computer Forensics and Security Management (MSCFSM)

MSCLIS, See Master of Science in Cyber Law and Information Security (MSCLIS)

MSDF, See Master of Science in Digital Forensics (MSDF)

MSISTM, See Master of Science in Information Security Technology and Management (MSISTM)

N

National Institute of Standards and Technology (NIST), 90, 144

NDA, See Nondisclosure agreement (NDA)

Near real-time data replication, 103

Net present value (NPV), 203

Net present value, 303

of net benefits, 210, 210t

Netherlands, 183

Network

communications, 91

configurations, 10

connections, 10

devices, 106

forensics, 6, 14

and analysis, 133

generic framework for, 171–172, 172f

Network Investigative Techniques (NITC), 179

Network time protocol (NTP), 76

New Zealand, 183

Next-Gen, See Next-generation (Next-Gen)

Next-generation (Next-Gen), 108

security controls layers, 108f

NIST, See National Institute of Standards and Technology (NIST)

NITC, See Network Investigative Techniques (NITC)

Nondisclosure agreement (NDA), 193

Nonrepudiation, 55

Nonvolatile data, 247

Norway, 183

NPV, See Net present value (NPV)

NTP, See Network time protocol (NTP)

O

Objects, 239

Observables, 122, 237

OLAP, See Online analytical processing (OLAP)

OLTP, See Online transaction processing (OLTP)

Online analytical processing (OLAP), 248

differences, 248t

features, 249t

Online transaction processing (OLTP), 247

differences, 248t

features, 249t

Open files, 10

Open systems interconnection model (OSI model), 68

Operating system (OS), 4

Operational data, 247

Operational requirements, 261

Operational risk, 54

Operational service, 66

OS, See Operating system (OS)

OSI model, See Open systems interconnection model (OSI model)

Overall status, 66

Overhead time and effort, 57

P

Paging/swap files, 11

Pareto Principle, 77

Payback period, 211, 211t

PC, See Personal computer (PC)

PCertCFR, See Postgraduate Certificate in Computer Forensics (PCertCFR)

PCI, See Professional Certified Investigator (PCI)

Personal computer (PC), 4

Personnel, 100

PgC, See Postgraduate Certificate (PgC)

PgD, See Postgraduate Diploma (PgD)

PGDipCFR, See Postgraduate Diploma in Computer Forensics (PGDipCFR)

Physical controls, 91

delay, 93

deny, 92

detect, 92

deter, 91–92

Physical security, 98–99

Plans, 116–117

Policies, 88, 116

Postgraduate Certificate (PgC), 181

Postgraduate Certificate in Computer Forensics (PCertCFR), 179

Postgraduate Diploma (PgD), 181

Postgraduate Diploma in Computer Forensics (PGDipCFR), 179

Precollection questions, 73–75

Precursor incidents, 121

Preparation, 19, 192–193

for data sources, 65

Present value (PV), 207–209, 209t

Presentation, 19, 39–40, 196

of evidence, 37–38

strategies, 87

administrative controls, 88

physical controls, 91–93

technical controls, 88–91

Price year, 208

Prioritization, 123

functional impact, 123, 123t

informational impact, 123, 124t

prioritizing requirements, 263

recoverability impact, 124, 124t

Privilege assignments, 96f

Proactive activities, 46

Problem statement, 203–204

Procedures, 88

Process models, 157

abstract model of digital forensic procedures, 161, 161f

computer forensic

field triage process model, 167, 167f

investigative process, 157–159, 159f

process model, 159, 159f

digital forensic investigation, framework for, 166–167, 167f

digital forensic model based on Malaysian investigation process, 170–171, 171f

digital forensic process models, 158t

digital forensic research workshop investigative model, 159–160, 160f

dual data analysis process, 170, 170f

end to end digital investigation, 162–163, 163f

enhanced integrated digital investigation process, 164–165, 164f

event-based digital forensic investigation framework, 165–166, 166f

extended model of cybercrime investigation, 163–164, 164f

FORZA, 167–169, 168f

four-step forensic process, 166, 166f

generic computer forensic investigation model, 172–173

integrated digital investigation process, 161–162, 162f

network forensics, generic framework for, 171–172, 172f

objective-based framework for digital investigations process, 165, 165f

phase frequency, 175f

process model for incident and computer forensics, 169–170, 169f

scientific crime scene investigation model, 160–161, 160f

systematic digital forensic investigation model, 173–174

Process regulations, 59

Processing, 19, 38–39, 194–196

validation, 195–196

verification, 194–195

Professional certification, 132

Professional Certified Investigator (PCI), 177

Profiling, 122

Project charter document, 313f–325f

Project planning, 256

Prosecution, 147

Protocol analysis, 109

PV, See Present value (PV)

Q

Qualitative assessments, 222–223

Quantitative assessment, 204–214

See also Comparative assessment

identifying costs, 205

intangible costs, 205

tangible costs, 205

projecting benefits, 205–207

intangible benefits, 206–207

tangible benefits, 206

R

Random access memory (RAM), 10

RAW, See Registry Analysis Workshop (RAW)

Reactive activities, 46–47

Records management staff, 216

Recoverability impact, 124, 124t

Recovery, 125

and continuity expenses, 57–58

Recovery time objective (RTO), 102

Registry, 12

Registry Analysis Workshop (RAW), 179

Remote logging, 90–91

Repeatability, 196

Reproducibility, 196

Requirement analysis, 259–260

assessment preparation, 260–261

finalizing requirements, 262–263

gathering requirements, 261–262

importance, 259

interpreting requirements, 262

priority triad, 261f

scope, 260

specification document, 263

Requirements specification document, 327f–334f

Return on investment (ROI), 53, 199, 202

Risk assessment, 222, 255

advantages and disadvantages, 224

methodologies, tools, and techniques, 224–225

qualitative assessments, 222–223

quantitative assessments, 223

ALE, 224

ARO, 223–224

SLE, 223

risk life cycle workflow, 225–235

risk likelihood/severity heat map, 222f

Risk life cycle workflow, 225, 226f

communication, 227

analyzing, 228, 230f

identifying, 227–228, 229f

managing, 228–231, 232f

monitoring, 231–233, 234f

reviewing, 233–235, 235f

risk visualization, 226

Risk likelihood/severity heat map, 222f

Risk management, 133, 221

responses, 231f

variables, 221f

Risk visualization, 226

RIT, See Rochester Institute of Technology (RIT)

Rochester Institute of Technology (RIT), 187

ROI, See Return on investment (ROI)

RTO, See Recovery time objective (RTO)

Running processes, 10

S

SANS, See SysAdmin, Audit, Networking, and Security (SANS)

Scientific crime scene investigation model, 160–161, 160f

Scotland, 183

Scribes, 119

SDLC, See Systems development life cycle (SDLC)

Search of evidence, 36–37

SEC, See US Securities and Exchange Commission (SEC)

Secure delivery, 91

Secure Hashing Algorithm (SHA), 89–90

Secure storage and handling establishment

administrative governance foundations, 99

assurance controls, 101–102

evidence handling, 101

evidence storage, 100–101

incident/investigation response, 101

personnel, 100

backup and restoration strategies, 102–103

digital forensic readiness program, 95

secure storage attributes, 95

end-to-end cryptography, 97

integrity checking, 97–98

least privilege access, 96

physical security, 98–99

privilege assignments, 96f

Security incident response team (SIRT), 46

Security monitoring, 133

Seizure of evidence, 36–37

Sensitivity analysis, 212

Service, 202

agreement contract, 70

description, 200

family/group/category, 200–201

name, 200

owner, 201

Service catalog, 199, 291f

business benefits, 199–200

design considerations, 200

key contact(s), 201

operational service catalog hierarchy, 201f

service costs, 202

service description, 200

service family/group/category, 200–201

service name, 200

service owner, 201

Service costs, 202

allocation, 202

driver, 202

elements, 202

per unit, 202

Service-level objectives (SLO), 70, 117, 202

SHA, See Secure Hashing Algorithm (SHA)

Shadow price, 207

Signature-based technologies, 107

Simple pattern matching, 109

Single loss expectancy (SLE), 223

SIRT, See Security incident response team (SIRT)

Slack space, 12

SLE, See Single loss expectancy (SLE)

SLO, See Service-level objectives (SLO)

Snowflake model, 256

Social regulations, 59

Software for evidence management, 33–34

Software testing, 194

SOP, See Standard operating procedures (SOP)

South Africa, 183

SOW, See Statement of work (SOW)

SP, See Special Publication (SP)

Special Publication (SP), 90, 144

Specialized knowledge, 132–133

Specification

document, 263

specification-based detection, 110

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE), 239

Staging, architecture with, 251–253, 251f

Stakeholder validation, 213–214

Standard operating procedures (SOP), 74, 117

Standards, 88, 191–192

Star model, 256

Stateful pattern matching, 109

Statement of work (SOW), 193

Static analysis, 195

Status details, 67

STIX framework, See Structured threat information expression framework (STIX framework)

Storage

duration, 79–80

infrastructure, 80–81

security, 89

Strategic risk, 54

STRIDE, See Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege (STRIDE)

Structural metadata, 77

Structured threat information expression framework (STIX framework), 237, 238f

Subject, 239, 243

Subject-oriented data, 247, 256

Successful implementation, 151–152

Supporting contractual and/or commercial agreements, 60

Surveys, 218

Sweden, 183–184

SysAdmin, Audit, Networking, and Security (SANS), 178

System date/time, 11

System development life cycle, forensics in, 71

Systematic digital forensic investigation model, 173–174

Systems development life cycle (SDLC), 194, 259

T

Tactics, techniques, and procedures (TTP), 122, 239

Tangible benefits, 206

Tangible costs, 205

Task prioritization, 136

Taxonomy, 215

building and implementation, 217

classification scheme, 219–220

conduct surveys and interviews, 218

finalizing taxonomy, 220

inventories creation, 218–219

development methodology, 215, 215f

govern and grow, 220

research and assessing, 215

assessing existing data, 217

business requirements and value proposition, 216–217

establishing role within organization, 216

team selection, 215–216

Technical controls, 88

cryptographic algorithms, 90

integrity monitoring, 89–90

remote logging, 90–91

secure delivery, 91

storage security, 89

Technical learning, business learning vs., 135–136

Technical requirements, 262

Technical writing skills, 136

Technology

counseling, 143–144

name, 66

owner, 66

technology-generated data, 24, 86

technology-stored data, 24–25, 86

vendor, 66

Temporary/cache files, 11–12

Test case document, 273f–277f

The Pirate Bay (TPB), 145b

Threat

actors, 123, 239

analysis, 242

category to security property relationship, 56t

risk

matrix, 243–244

modeling, 237

threat/risk assessment report, 305f–310f

Threat and risk assessment (TRA), 243–244

Threat modeling, 133, 237, 244

business risk association, 240

methodologies, 55, 240–243

attack simulation, process for, 242

Microsoft threat modeling, 241

threat analysis, 242

TRIKE, 242–243

STIX framework, 238f

threat risk matrix, 243–244

threat tree workflow, 240f

Time, 75–76

management, 136

variant data, 247

Time value of money (TVM), 208

Tool and equipment validation program, 191

building program, 192

gathering, 193–194

preparation, 192–193

presentation, 196

processing, 194–196

standards and baselines, 191–192

Top-down view, 253

Total cost of ownership, 255

TPB, See The Pirate Bay (TPB)

TRA, See Threat and risk assessment (TRA)

Traditional security monitoring, 106–107

Training, 129

awareness, 130–131

basic knowledge, 131

functional knowledge, 131–132

specialized knowledge, 132–133

Transfer risk, 231

Transform, 249

Transitional requirements, 262

TRIKE, 242–243

TTP, See Tactics, techniques, and procedures (TTP)

TVM, See Time value of money (TVM)

U

UAB, See University of Alabama at Birmingham (UAB)

UCT, See University of Cape Town (UCT)

Understandable reports, 139

Unidentified data sources, 70

UniSA, See University of South Australia (UniSA)

United Arab Emirates, 184

United Kingdom, 184

United States of America, 184–189

Universiteit van Amsterdam (UvA), 183

University of Alabama at Birmingham (UAB), 188

University of Cape Town (UCT), 183

University of Nebraska Omaha (UNO), 188

University of South Australia (UniSA), 179

UNO, See University of Nebraska Omaha (UNO)

US Federal Rules of Civil Procedure, 138b

US Securities and Exchange Commission (SEC), 144b–145b

US Supreme Court Rules, 141

Using Internet as an Intelligence Tool (INTINT), 179

UvA, See Universiteit van Amsterdam (UvA)

V

Validation, 195–196

Value proposition, 216–217

Vendor-specific certifications, 178

Verbal formal reports, 138

Verbal informal reports, 138–139

Verbal reports, 140

Verification, 194–196

W

Wales, 189

“Wall-and-fortress” approach, 151–152

White box, 196

Wireless Networks Workshop (WNETW), 179

Write once read many (WORM), 101

Written formal reports, 139

Written informal reports, 139

Written reports arrangement, 139–141