Legal Holds + Acquiring Forensic Data + Validating Forensic Data Integrity

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/6

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

7 Terms

1
New cards

A legal hold or litigation hold

is a notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations

2
New cards

Discovery processes

allow each side of a legal case to obtain evidence from each other and other parties involved in the case

3
New cards

The order of volatility documents

what data is most likely to be lost due to system operations or normal processes

4
New cards

Common forensic locations include the following

  • CPU cache and registers

  • Ephermal data such as the process table, kernel statistics, the system’s ARP cahce, and similar information

  • RAM

  • Swap and pagefile information

  • Files and data on disk

  • Operating system

  • Devices such as smartphones, tablets, IoT devices, and embedded or specialized systems

  • Firmware

  • Snapshots from VMs

  • Network traffic and logs

  • Artifacts like devices, printouts, media, and other items related to investigations

5
New cards

It is important

to maintain chain-of-custody documentation if the forensic case may result in a legal case

6
New cards

In cloud environments, you will often have to consider

  • Right-to-audit clauses

  • Regulatory and jurisdiction concerns

  • Data breach notification laws

7
New cards

Validating Forensic Data Integrity

  • Create a hash

  • Documenting the provenance or where an image or drive came from and what happened with it