CISSP Domain 7

CISSP Domain 7 – Investigation types

There are four different investigation types:

Administrative :

  • Lower burden of proof.
  • Conducted inside an organization.
  • Violation of organizational policies.

Criminal :

  • Evidence needs to be beyond a reasonable doubt.
  • Prosecution under criminal laws.
  • Laws protect physical integrity of people and the society as a whole.
  • Punishment is incarceration, financial penalties, and even dealt.

Civil :

  • Preponderance of evidence.
  • Between private entities.
  • Determines if an entity is liable or not.
  • Laws are enforced to govern matters between citizens and organizations, crimes are still criminal.
  • Civil can be related to contract, estate, etc.
  • The evidence standard is Preponderance of the evidence.
  • One of the major difference between criminal and civil law is that criminal law is enforced by the government. Whereas, a person or organization must raise the issue with civil law.

Regulatory :

  • Preponderance of evidence.
  • Can be either criminal or civil.
  • Determines if an organization is compliant with a regulation

CISSP Domain 7 – Evidence

  • Real Evidence, also called material evidence, is tangible and physical objects that can be present in court and can be touched and inspected. This can include Hard Disks, USB Drives, etc. This is NOT the data that resides on them. Real evidence must be either uniquely identified by a witness or authenticated through a documented chain of custody.
  • Direct Evidence is a testimony from a firsthand witness, what they experienced with their 5 senses.
  • Circumstantial Evidence Circumstantial Evidence is also known as indirect evidence. It is distinguished from direct evidence, which, if believed, proves the existence of a particular fact without any inference or presumption required. Circumstantial evidence relates to a series of facts other than the particular fact sought to be proved.
  • Corroborating Evidence is a collection of facts and information that backs up someone’s story. In a court of law, corroborating evidence is used to uphold the testimony of witnesses.
  • Hearsay Evidence refers to an out-of-court statement made by someone other than the witness reporting it. In certain courts, hearsay evidence is inadmissible unless an exception to the Hearsay Rule applies. Computer generated records, and with that log files, were considered hearsay, but case law and updates to the Federal Rule of Evidence have changed that.
  • Best Evidence Rule is a legal principle that requires an original document, photograph, or other piece of evidence be introduced to the court to prove the contents of that same item.  The rule specifies that secondary evidence, such as a copy or facsimile, will be not admissible if an original document exists and can be obtained. The rule has its roots in 18th-century British law.
  • Documentary Evidence Documentary evidence is a form of evidence that is presented and allowed as evidence in a trial or hearing. It is distinguished from oral testimony and physical evidence. Photographs, tape recordings, films, and printed emails are all forms of documentary evidence. 
  • Oral evidence refers to a statement made by a witness in court concerning a matter of fact. The oral evidence is therefore the inclusion of such witnesses who testified to the facts or knew the facts they removed and which must be recorded by the court.

The 5 Rules of Evidence

  1. Be Authentic
  2. Be Accurate
  3. Be Complete
  4. Be Convincing
  5. Be Admissible

To be admissible, evidence must be relevant, material, and competent.

Search Warrants

  • To obtain a search warrant, investigators must have probable cause.
  • Exigent circumstances is a term that describe the seizure of evidence without a warrant. It can happen if there is a probable chance of destruction of evidence.

Electronic Discovery

Electronic discovery, also called e-discovery or eDiscovery, is the technical term for the discovery of all legal documents and evidence and handing over all documents in an electronic format that are relevant to a particular dispute. Electronic information is considered different than paper information because of its intangible form, volume, transience, and persistence. Electronic information is usually accompanied by metadata that is not found in paper documents and that can play an important part as evidence. For example, the date and time a document was written could be useful in a copyright case.


The EDRM diagram represents a conceptual view of the stages of the e-discovery process.

Information Governance – Getting your electronic house in order to mitigate risk & expenses should e-discovery become an issue, from initial creation of ESI (electronically stored information) through its final disposition.

Identification – Locating potential sources of ESI & determining its scope, breadth & depth.

Preservation – Ensuring that ESI is protected against inappropriate alteration or destruction.

Collection – Gathering ESI for further use in the e-discovery process (processing, review, etc.).

Processing – Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review & analysis.

Review – Evaluating ESI for relevance & privilege.

Analysis – Evaluating ESI for content & context, including key patterns, topics, people & discussion.

Production – Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.

Presentation – Displaying ESI before audiences (at depositions, hearings, trials, etc.), especially in native & near-native forms, to elicit further information, validate existing facts or positions, or persuade an audience.

Logging and Monitoring Activities

  • Intrusion detection and prevention – there are two technologies that you can use to detect and prevent intrusions. Some solutions combine them into a single software package or an appliance.
    • An intrusion detection system (IDS) is a technology, typically software or an appliance, that attempts to identify malicious activity in your environment. Solutions often rely on patterns, signatures, or anomalies. There are multiple types of IDS solutions. For example, there are solutions specific to the network (network IDS or NIDS) and others specific to computers (host-based IDS or HIDS).
    • An intrusion prevention system (IPS) can help block an attack before it gets inside your network. In the worst case, it can identify an attack in progress. Like an IDS, an IPS is often a software or appliance. However, an IPS is typically placed in line on the network so it can analyze traffic coming into or leaving the network, whereas an IDS typically sees intrusions after they’ve occurred.
  • Security information and event management (SIEM) – companies have security information stored in logs across multiple computers and appliances. Often, the information captured in the logs is so extensive that it can quickly become hard to manage and use. Many companies deploy a security information and event management (SIEM) solution to centralize the log data and make it simpler to work with. A SIEM is a critical technology in large and security-conscious organizations.
  • Continuous monitoring – the process of streaming information related to the security of the computing environment in real time (or close to real time). Some SIEM solutions offer continuous monitoring or at least some features of continuous monitoring.
    • Egress monitoring – the monitoring of data as it leaves your network. One reason is to ensure that malicious traffic doesn’t leave the network, like infected computers trying to spread malware to hosts on the internet. Another reason is to ensure that sensitive data, such as customer information or HR information, does not leave the network unless authorized.
    • Data loss prevention (DLP) solutions focus on reducing or eliminating sensitive data leaving the network.
  • Steganography is the art of hiding data inside another file or message. For example, a text file can be hidden inside a picture file. Because the file appears innocuous, especially with detail and many colors, it can be difficult to detect.
  • Watermarking is the act of embedding an identifying marker in a file. For example, you can embed a company name in a customer database file or add a watermark to a picture file with copyright information.

Leave a Reply

Your email address will not be published. Required fields are marked *