***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-operations-and-incident-response/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``Managing Evidence``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Managing Evidence](#a) <br/><br/>

- [Integrity](#b) <br/><br/>
    - [Hash](#b) <br/><br/>
    - [Checksum](#b) <br/><br/>
    - [Provence](#b) <br/><br/>
- [Preservation](#c) <br/><br/>
- [E-discovery](#d) <br/><br/>
- [Data Recovery](#e) <br/><br/>
- [Non-repudiation - Message Authentication Code - MAC - Digital Signature](#f) <br/><br/>
    - [Message Authentication Code](#f) <br/><br/>
        - [``MAC``](#f) <br/><br/>
    - [Digital Signature](#f) <br/><br/>
- [Strategic Intelligence](#g) <br/><br/>
    - [Counterintelligence](#h)
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Managing Evidence
***

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Integrity - [Hash] - [Checksum] - [Provence]
***

When collecting data for evidence, you want to be sure that nothing is going to change with the information that you’ve collected - one way to ensure this is to create a ``hash`` of that data - this is a way to cryptographically verify that what you have collected is going to be exactly the same as what you’re examining later.

Can think of this as a digital fingerprint - would take that fingerprint or create that hash when you first collect the data and then you would verify that hash whenever you perform the analysis to make sure that nothing has changed in the meantime.

A relatively simple integrity check can be done with a ``checksum`` - this is very commonly done with network communication to make sure that the information that we’ve sent from one side of the network to the other has shown up without any type of corruption - this isn’t designed to replace a hash, but it does provide a simple integrity check that might be useful in certain situations.

Also have to think about the original source of this data - refer to this as ``provenance`` - this provides us with documentation of where this data originated - also useful to have a chain of custody so you know exactly where this data has been since the time it was taken - this might even be an opportunity to take advantage of newer blockchain technologies that can provide more detailed tracking of information.

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### Preservation
***

It’s important when working with data as evidence that we are able to preserve this information and to verify that nothing has changed with this information while it’s been stored. 

Commonly will take the original source of data and create a copy of that data, often imaging storage drives or copying everything that might be on a mobile device - this becomes especially useful for these mobile smartphones, since it is possible to remotely erase these devices.

This is not always as simple as powering down the system, removing a drive, and then imaging the information that’s there, especially since many drives are configured with full disk encryption and powering down the system could cause all of that data to be inaccessible - often have to think about different techniques when we’re gathering this data, especially if encryption is in use.

We want to be sure that when we’re gathering this information that we’re using the best practices - this will be especially useful if this information is being used later on in a court of law because they will be examining the process you took to gather these details.

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### E-discovery
***

There’s a legal mechanism used to gather information called discovery and when we apply this to digital technologies, it’s referred to as e-discovery. 

The process of e-discovery is about gathering the data - not examining the information - not analyzing the information that we’re gathering - simply going through a list of information that’s been requested, and we’re gathering all of those details, and providing it to the legal authorities.

The process of e-discovery often works in conjunction with digital forensics, for example, with e-discovery, we may be requested to obtain a storage drive and provide that to the authorities. The authorities would then look at that drive and notice that the information on that drive is actually smaller than what they expected. At that point, they can bring in some digital forensics experts that can examine the drive and attempt to recover any data that may have been deleted.

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### Data Recovery
***

Recovering missing data can be a complex process - there’s no single way to go about recovering data, so it takes extensive training and knowledge to know exactly the best way to do it.

The exact process someone might go through might vary based on whether the files were simply deleted on the drive:

> Were the files deleted and then the recycle bin was deleted? 

> Or were the files simply hidden, but are still contained on the storage drive?

> Was there corruption with the data associated with the operating system or the application? 

> Or was the storage media damaged itself? 

All of these situations can have some type of data recovery associated with them if we use the correct techniques.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### Non-repudiation - [Message Authentication Code - MAC] - [Digital Signature]
***

Another important part of this process is knowing exactly who sent the data originally - if we can ensure that the information that we’ve received is exactly what was sent and we can verify the person who sent it, then we have what’s called non-repudiation. 

With non-repudiation, we not only know who sent the data, but we have a high confidence of exactly who sent that information - this means that the only person who could have sent the data is that original sender.

There are commonly two ways to provide non-repudiation: 

> Message Authentication Code (``MAC``)

With ``MAC``, the two parties that are communicating back and forth are the two that can verify that non-repudiation 

> Digital Signature

Anyone who has access to the public key of the person who wrote the information can verify that they sent it - this is obviously a much broader non-repudiation since it would be verified by anyone and not just the two parties in the conversation.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### Strategic Intelligence 
***

Gathering evidence can also be done by using Strategic Intelligence - this is when we are focusing on a domain and gathering threat information about that domain - might want to look at business information, geographic information, or details about a specific country.

Might get much of this information from threat reports that we create internally or information that we’re gathering from a third-party - there might also be other data sources, especially with open source intelligence or OSIT that could even provide additional details.

If we’re looking at information over an extended period of time, we may be able to track certain trends that would give us more information about the threat.

< [Table of Contents](#top) | [References](#references) >
<a id="h"></a>
***
###### Counterintelligence
***

If we’re the subject of someone’s Strategic Intelligence, we may want to prevent that intelligence from occurring and instead, we would perform strategic Counterintelligence (``CI``). 

With ``CI``, we would identify someone trying to gather information on us and we would attempt to disrupt that process and then we would begin gathering our own threat intelligence on that foreign operation.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK