Table Of ContentOFFICIAL (ISC)2® GUIDE TO THE
CCFPSM CBK®
OTHER BOOKS IN THE (ISC)2® PRESS SERIES
Official (ISC)2® Guide to the CISSP® CBK®, Fourth Edition
Adam Gordon, Editor
ISBN: 978-1-4822-6275-9
Official (ISC)2® Guide to the HCISPPSM CBK®
Steven Hernandez, Editor
ISBN: 978-1-4822-6277-3
Official (ISC)2® Guide to the CCFPSM CBK®
Peter Stephenson, Editor
ISBN: 978-1-4822-6247-6
Official (ISC)2® Guide to the ISSAP® CBK®, Second Edition
Adam Gordon, Editor
ISBN: 978-1-4665-7900-2
Official (ISC)2® Guide to the CAP® CBK®, Second Edition
Patrick D. Howard
ISBN: 978-1-4398-2075-9
Official (ISC)2® Guide to the SSCP® CBK®, Second Edition
Harold F. Tipton, Editor
ISBN: 978-1-4398-0483-4
Official (ISC)2® Guide to the ISSAP® CBK®
Harold F. Tipton, Editor
ISBN: 978-1-4398-0093-5
Official (ISC)2® Guide to the ISSMP® CBK®
Harold F. Tipton, Editor
ISBN: 978-1-4200-9443-5
CISO Leadership: Essential Principles for Success
Todd Fitzgerald and Micki Krause, Editors
ISBN: 978-0-8493-7943-X
Official (ISC)2® Guide to the CISSP®-ISSEP® CBK®
Susan Hansche
ISBN: 978-0-8493-2341-X
OFFICIAL (ISC)2® GUIDE TO THE
CCFPSM CBK®
Edited by
Dr. Peter Stephenson, PhD, CCFP, CISSP, CISM, FICAF
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2014 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20140513
International Standard Book Number-13: 978-1-4822-6248-3 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid-
ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this
form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may
rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti-
lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy-
ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://
www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Contents
Foreword ..................................................................................................................................................xvii
Introduction .............................................................................................................................................xxi
Authors ....................................................................................................................................................xxvii
Editors .....................................................................................................................................................xxxiii
Contributors ........................................................................................................................................xxxvii
Domain 1 – Legal and Ethical Principles
........................................................1
References ............................................................................................................................................7
Chapter 1 - The Nature of Evidence and its Characteristics ....................................................9
Cyber Forensics ...............................................................................................................................12
Digital Evidence .................................................................................................................................13
The Investigative Process ..................................................................................................................15
Use of Evidence in Legal Proceedings ..............................................................................................18
Authenticity and Reliability ..............................................................................................................18
Terms to Know .................................................................................................................................21
Points to Ponder .............................................................................................................................22
References .........................................................................................................................................23
Chapter 2 - Chain of Custody ..........................................................................................................25
Initiating a Chain of Custody ..................................................................................................28
Logging and Tracking Evidence............................................................................................28
Marking, Securing, and Protecting Evidence ...............................................................31
Computers and Laptops ...................................................................................................................31
Removable Media ..............................................................................................................................32
Cell Phones and Other Electronic Devices ......................................................................................33
v
CCFP_2013.indb 5 5/12/2014 10:04:19 AM
Official (ISC)2 Guide to the CCFP CBK
Storing Evidence ............................................................................................................................34
Transferring Evidence within an Agency ........................................................................36
Transferring Evidence to Another Agency .....................................................................36
Chapter 3 - Rules of Procedure .......................................................................................................41
Roles and Responsibilities of Investigators ...................................................................44
Roles and Responsibilities of Forensic Examiners .....................................................47
Roles and Responsibilities of Experts ...............................................................................49
Admissibility of Evidence ..................................................................................................................50
Terms to Know .................................................................................................................................54
Points to Ponder .............................................................................................................................55
Chapter 4 - Role of the Expert Witness ........................................................................................57
Types of Witnesses ........................................................................................................................60
The Rules of Expert Testimony..........................................................................................................60
Expert Testimony Standards and Key Court Cases ........................................................................62
Qualifying as an Expert in Court ......................................................................................................64
Expert Roles ........................................................................................................................................65
Scientific Conclusions, Opinions and Recommendations ............................................................66
Bearing, Demeanor, and Appearance ............................................................................................66
Correcting Testimony ........................................................................................................................67
Depositions ........................................................................................................................................67
Legal Terms to Know ..................................................................................................................68
Chapter 5 - Codes of Ethics ..............................................................................................................75
Demystifying the Code of Ethics ..........................................................................................82
Ethical Decision Making ............................................................................................................83
The Need for Ethics in Digital Forensics...........................................................................84
The Training of Ethics in Digital Forensics ......................................................................85
The Regulation of Ethics in Digital Forensics ...............................................................86
The Privacy and Confidentiality Issues of Digital Forensics ................................87
Work-Product Doctrine .....................................................................................................................87
Attorney-Client Privilege and Confidentiality ................................................................................88
The Special Obligations of Litigation Support in Digital Forensics ................90
The Legality of Investigation Techniques in Digital Forensics ...........................93
Ethics .....................................................................................................................................................95
(ISC)2 Code of Ethics ..........................................................................................................................95
AAFS Code of Ethics ...........................................................................................................................97
ISFCE Code of Ethics and Professional Responsibility ...................................................................97
Points to Ponder ...........................................................................................................................101
Endnotes ...........................................................................................................................................102
Domain 1: Review Questions ................................................................................................119
vi
CCFP_2013.indb 6 5/12/2014 10:04:19 AM
Contents
Domain 2 – Investigations
.........................................................................................125
Chapter 6 - The Investigative Process ........................................................................................131
The Investigation Process .......................................................................................................138
Addressing the Complaint ..............................................................................................................138
Case Preparation Phase ..................................................................................................................142
Routine Investigative Activities: A Jumping-Off Point for Any Investigation ...........................144
The Perishable Nature of Data .......................................................................................................146
Team Effort .......................................................................................................................................148
Seeking Out Sources of Data..........................................................................................................152
Let the Experts Do It ........................................................................................................................156
Putting It All Together .....................................................................................................................158
Follow-Up .........................................................................................................................................159
References .......................................................................................................................................162
Chapter 7 - Evidence Management ............................................................................................165
Evidence Issues .............................................................................................................................168
Evidence Preservation .....................................................................................................................170
Tracking Evidence ............................................................................................................................172
Disposing of Evidence .....................................................................................................................173
Points to Ponder ...........................................................................................................................176
For Further Thought ..................................................................................................................176
References .......................................................................................................................................177
Chapter 8 - Criminal Investigations ............................................................................................179
Criminal versus Civil Actions ................................................................................................182
Launching a Criminal Investigation ..............................................................................................182
Elements of a Crime ........................................................................................................................184
What is a Crime? ..............................................................................................................................185
Points to Ponder ...........................................................................................................................188
For Further Thought ..................................................................................................................188
References .......................................................................................................................................189
Chapter 9 - Civil Investigations .....................................................................................................191
Civil Investigator ..............................................................................................................................194
Civil versus Criminal...................................................................................................................196
Methods, Privileges, and Limitations of Civil Investigators ........................................................197
Nature of Litigants ..........................................................................................................................200
Torts and Delicts ..............................................................................................................................202
Burden of Proof ................................................................................................................................204
Points to Ponder ...........................................................................................................................207
References .......................................................................................................................................208
vii
CCFP_2013.indb 7 5/12/2014 10:04:19 AM
Official (ISC)2 Guide to the CCFP CBK
Chapter 10 - Administrative Investigations .............................................................................211
A Definition of Administrative Investigations ...........................................................218
Employee Misbehavior and Corruption .......................................................................................219
The Role of the Inspector General ..................................................................................................220
Evidence Found in Workplace Technology ...................................................................................221
Confidentiality .................................................................................................................................226
Points to Ponder ...........................................................................................................................229
References .......................................................................................................................................230
Chapter 11 - Forensic Response to Security Incidents .........................................................233
Implementing an Incident Response Plan ..................................................................238
Ensuring Business Continuity ..............................................................................................240
Understanding and Limiting Liability ...........................................................................................243
Avoiding Legal Issues ......................................................................................................................245
Attaining Certification ...................................................................................................................247
Points to Ponder ...........................................................................................................................250
Chapter 12 - Electronic Discovery ...............................................................................................253
Defining Discovery .....................................................................................................................256
Understanding Spoliation .....................................................................................................257
Noting Changes in E-Discovery Law ................................................................................258
Limiting Scope of Discovery .................................................................................................259
Choosing Forensic or Non-Forensic E-Discovery......................................................260
Forensic E-Discovery .......................................................................................................................260
Non-Forensic E-Discovery ...............................................................................................................261
Following an E-Discovery Standard .................................................................................261
Reviewing Liability .....................................................................................................................263
Points to Ponder ...........................................................................................................................265
Chapter 13 - Intellectual Property Investigations ..................................................................267
Intellectual Property Investigations ................................................................................270
Types of Intellectual Property .........................................................................................................270
Investigation Steps ..........................................................................................................................273
Potential Criminal Action ...............................................................................................................279
Liability .............................................................................................................................................279
Points to Ponder ...........................................................................................................................281
Domain 2: Review Questions ................................................................................................283
viii
CCFP_2013.indb 8 5/12/2014 10:04:19 AM
Contents
Domain 3 – Forensic Science
..................................................................................289
Chapter 14 - Fundamental Principles.........................................................................................295
Introduction to Forensic Science .......................................................................................300
Locard’s Principle of Transference ..................................................................................................302
The Inman-Rudin Paradigm ...........................................................................................................303
The Philosophy of Science ..............................................................................................................305
The Scientific Method......................................................................................................................307
The Characteristics of Forensic Science ........................................................................................309
References .......................................................................................................................................314
Chapter 15 - Forensic Science Processes ..................................................................................317
The Purpose of Forensic Examination ............................................................................322
Identification ..................................................................................................................................324
The Digital Evidence Categorization Model .................................................................................326
Individualization/Classification ..........................................................................................328
Association ......................................................................................................................................329
Reconstruction ..............................................................................................................................330
Relational Analysis ..........................................................................................................................330
Functional Analysis .........................................................................................................................331
Temporal Analysis ...........................................................................................................................332
References .......................................................................................................................................335
Chapter 16 - Forensic Analysis and Examination ...................................................................337
Documentation and Case Notes.........................................................................................340
Examination/Investigation Goals .................................................................................................341
Hypothesis Formulation/Criteria ...................................................................................................342
Experimental Design and Tool Selection ......................................................................................343
Examination Plan Execution ..........................................................................................................346
Results Review and Evaluation ......................................................................................................346
Conclusion and Opinion Formulation ..........................................................................................347
Points to Ponder ...........................................................................................................................349
For Further Thought ..................................................................................................................349
Chapter 17 - Report Writing and Presentation .......................................................................351
Rational for Reporting ....................................................................................................................354
Preparing for the Reporting Phase ................................................................................................354
Designing Your Report ....................................................................................................................355
Incorporation of Examination Results in the Report ...................................................................358
Conclusions and Opinions .............................................................................................................360
Clarity and Scientific Accuracy ......................................................................................................361
Report/Presentation appropriate to the Audience and Venue ..................................................361
Points to Ponder ...........................................................................................................................363
ix
CCFP_2013.indb 9 5/12/2014 10:04:19 AM
