Note: Page numbers in italic and bold refer to figures and tables, respectively.
acceptable use policy (AUP) 229, 252
access logs 27
active data 274
actuation module, IoT 269, 270
ADAM (Advanced Data Acquisition Model) 380, 381
administrative governance foundations 135–6; assurance controls 138; evidence handling 137; evidence storage 137; incident and investigative response 137; personnel 136
adolescence, digital crime 7
Advanced Data Acquisition Model (ADAM) 380, 381
advanced persistent threats (APT) 7
adverse event 160
airplane mode 257
ALE (annualized loss expectancy) 323–4
American Academy of Forensic Sciences (AAFS) 7
analytical techniques: anomaly detection 151–2; deductive forensics 154–6, 155; extractive forensics 153–4; inductive forensics 154; machine learning 152–3; misuse detection 150–1; specification-based detection 152
annualized loss expectancy (ALE) 323–4
annual rate of occurrence (ARO) 323
anomaly detection technique 151–2
application programming interface (API) 235, 247, 274
application services, security controls 231
application software 97
application whitelisting 149
application zone, IoT 276
APT (advanced persistent threats) 7
arbitrary regulations 94
architectural models, EDW: basic architecture 347, 347; data marts 348, 349; with staging 348, 349; staging and data marts 349, 349–50
ARO (annual rate of occurrence) 323
asset management and discovery 277, 279
assurance controls 138
audit information 25
audit logs 27
AUP (acceptable use policy) 229, 252
Australian Crimes Act 6
Australian (AU) Cybercrime Act 205–6
Australian Signal Directorate (ASD) 149–50
authentication threats 425
authenticity, digital evidence 13–14
authorization threats 425
availability threats 424
baseline-future scenario gap analysis 311
basic training (continuing education) 239, 265, 285
benefits analysis, forensics readiness program: control expansion 83–4; crime deterrent 84; disclosure costs 84–5; governance and compliance 84; law enforcement 84; legal preparations 84; minimizing costs 83
best evidence rule 112
binding precedent 207
Blackberry 244
black box 294
bottom-up view, EDW 350
bring your own device (BYOD) model 251, 255, 258
British Computer Abuse Act (1990) 6
budget management 191
business case 413; advantages/disadvantages 415; alternative analysis 419; alternatives 416; assumptions 416; business analysis 414–15; contact persons 419; executive summary 414; financial analysis 418–19; funding 418; governance structure 417; key success metrics 417; recommendation 412; risks 416; roles & responsibilities 419; sensitivity analysis 419; timing/schedules 416
business code of conduct policy 55–6
business process systems 97
business query view, EDW 350
business risks 63–4, 87–8, 338–9
business scenarios 64–6; cloud forensic 225–6; IoT forensic 273; mobile device forensics 248–9
BYOD (bring your own device) model 251, 255, 258
CBA see cost-benefit analysis (CBA)
CBK see common body of knowledge (CBK)
certifications: and accreditations 61; and professional organizations 56–60
Certified Advanced Windows Forensics Examiner (CAWFE) 58
Certified Computer Examiner (CCE) 58–9
Certified Forensics Computer Examiner (CFCE) 58
chain-of-evidence model 116, 116
chip-off analysis 247
choose your own device (CYOD) model 255
CIA triad (confidentiality, integrity, and availability) 105
click-wrap agreement 242
cloud computing 30–1, 188, 218, 220; challenges 223–4; characteristics 220; containerization 224; delivery models 221–2; enterprise strategies 228; evidence gathering and processing 224; first responders 224; governance 228–9; history of 218–19; hyper-scaling 223–4, 234; isolation models 222; mobility 223; model dimensions 222; RA 229–32; security and configuration standards 229; security control 230, 230–2; service models 221; trust, layers of 232–4, 233
cloud forensics 15, 181, 225; business risk scenarios 225–6; continuing education 238–40; data sources 226–7; evidence-based presentations 240; evidence, collection of 227–32; investigative workflows 225, 236–8; legal admissibility 232–4; legal review 240–2; secure storage and handling 234–5; targeted monitoring 235–6
cloud service providers (CSP) 31, 97, 104, 224, 229, 234, 241
cluster 154
COBO (corporate-owned, business only) model 255, 258
code of conduct 229
commercial-off-the-shelf (COTS): solutions 353; technologies 42, 44
common body of knowledge (CBK) 2, 6, 8, 11, 18, 57
communication: module, IoT 269, 270; plans 163; skills 190
communication, risk management: analyze 329, 330; identify 327, 328; manage 329–32, 332; monitor 332–3, 333
community cloud model 221
computer forensics 5–6, 15; field triage process model 372, 373; investigative process 364, 364; process model 364, 365
confidentiality threats 423
conflict resolution 191
content filtering 147
continuing education: cloud forensic 238–40; digital forensics experts 192, 194; educational roadmap 185–92, 193; hierarchy 178; IoT forensic 284–5; mobile device forensics 265–6; organizational roles and responsibilities 182–5; and training 177–81
continuity threats 424
corporate-owned, business only (COBO) model 255, 258
corporate-owned, personally enabled (COPE) model 255
cost assessment, forensics readiness program 82–3
cost-benefit analysis (CBA) 109, 301–2; comparative assessment 306; estimated costs and benefits 307; identifying costs 303; intangible benefits 305–6; intangible costs 304; problem statement 302–3; projecting benefits 304; quantitative assessment 303; tangible benefits 304; workflow 302
COTS see commercial-off-the-shelf (COTS)
crime deterrent 84
crime prevention through environmental design (CPTED) 129
critical thinking 190
cryptographic hash algorithm 235, 277
CSP see cloud service providers (CSP)
cyber and security investigations 188
cybercrime 181; indirect business loss 91–2; overhead time and effort 91; recovery and continuity expenses 92; risk mitigation controls 90–1; security properties 89, 90; threat modeling 89–90, 90
cyber espionage 7
cyber forensics training and operations, process flows for 374, 374
cyclic redundancy checks (CRC) 127
CYOD (choose your own device) model 255
data: breach 176; exposure concerns 105; integrity 126; management solutions 25, 97; replication 139; restoration strategy 138–40; in transit 128, 132–3
data-in-use 133
data loss prevention (DLP) 25, 147, 254
data security 83; requirements 119–20
data sources: action plan 98–9; background evidence 97; cloud forensic 226–7; document deficiencies 101–4; foreground evidence 97; identification 99–101; inventory matrix 426; IoT forensic 273–4; mobile device forensics 249–51; personal computing systems 96; view, EDW 350
data warehouse 344; architectural models 346–50, 347; data lake vs. 351; design methodologies 350–2; development concepts 345; implementation factors 352–4; project planning 354
dedicated isolation models 222
deductive forensics 154–6, 155
defense-in-depth strategy 144–5, 145
delivery models, cloud computing 221–2
detective controls 129
deterrent security controls 128–9
device zone, IoT 275
DFRWS see Digital Forensics Research Workshop (DFRWS)
digital and multimedia sciences (DMS) 7
digital artifacts 28
digital crimes: adolescence 7; childhood 6–7; future 8–9; infancy 5–6; prologue 4–5
digital evidence 80; background 25; business operations 110–11; cost elements 109; evidence storage networks 51–2; foreground 25–6; FRE 32–4; investigative process methodology 34–51; legal actions 111; legal/regulatory requirements 111; legal system 24; sources of 26–32; technology-generated data 25; technology-stored data 25
digital forensic investigations framework 372, 372, 376, 376
digital forensic procedures, abstract model 366, 367
digital forensic readiness: business-centric focus 213–14; costs and benefits 214–15; process model 22–3, 23; systematic and proactive approach 214
Digital Forensics Certification Board (DFCB) 57
Digital Forensics Research Workshop (DFRWS) 6; investigative model 365, 365
digital forensics resources 17
digital forensics team: roles 183–4; titles 184–5
digital forensics tool testing process model 292
DLP (data loss prevention) 25, 147, 254
document deficiencies: insufficient data availability 101–3; unidentified data sources 104
dual data analysis process 375, 376
dynamic analysis 294
dynamic data 274
economic regulations 93
e-discovery see electronic discovery (e-discovery)
educational roadmap 71, 185–6, 193; non-technical knowledge 189–92; technical knowledge 186–9
education and professional certifications 383; formal education programs 385–93; industry-neutral certifications 383–4; vendor-specific trainings/certifications 384
education and training program: awareness 82–3, 178–9; basic knowledge 179–80; functional knowledge 180; specialized knowledge 180–1
EDW see enterprise data warehouse (EDW)
electronically stored information (ESI) 13, 25, 142–3, 240, 277, 285, 351; cloud computing 30, 223, 226; contractual and commercial agreements 95; disclosure costs 84–5; e-discovery 188; hyper-scaling 223–4; information security and cyber security 144; mobile devices 249; SAN 52; text mining 153–4
electronic communication channels 26, 97
electronic crime scene investigation 364
electronic discovery (e-discovery) 15, 76, 84–5, 181, 188
elevation of privilege 90
elevator speech 197
email abuse 176
encrypted file system (EFS) 125, 133
end-to-end digital investigation 368, 368
enhanced integrated digital investigation process 369, 369
enterprise data warehouse (EDW) 52, 112, 118, 131, 344
enterprise management strategies: cloud forensics 228; mobile device forensics 251–6
enterprises: business risks 63–4; governance framework 67, 67; law enforcement agencies 62; outline business scenarios 64–6; phase 11; service catalog 70; technical execution 69
enterprise security 142–4; defense-in-depth strategy 144–5, 145; information security vs. cyber security 144; modern security monitoring 146–7; traditional security monitoring 145–6, 146
entity-relationship (ER) model 346
error logs 27
escalation management: functional 165, 165–6; hierarchical 164, 164
ESI see electronically stored information (ESI)
ethics: business 55–6; certifications and accreditations 61; certifications and professional organizations 56–60; computer 54–5; confidentiality and trust 60; due diligence and duty of care 60; impartiality and objectivity 60; importance 53; openness and disclosure 60; personal 54; professional 54
EU ePrivacy Act 205
evaluation period 73
event-based digital forensic investigation framework 371, 371
event vs. incident 160
evidence: authenticity 134; exchange 11–12, 12; handling 137; management 186
evidence-based presentation: cloud forensic 240; IoT forensic 285–6; mobile device forensics 266
evidence-based reporting: exculpatory evidence 199–200; factual reports 195–6; inculpatory evidence 199–200; types of 196–7; understandable reports 197–8; written reports, arrangement 198–9
evidence collection factors: best evidence rule 112; cause and effect 114–15; correlation and association 115–16; corroboration and redundancy 117; metadata 113–14; storage duration 117–18; storage infrastructure 118–19; time 112–13
evidence, collection of: cloud forensic 227–32; IoT forensic 274–5; mobile device forensics 251–6
evidence storage 137; networks 51–2
evolutionary cycle 9; ad hoc phase 9–10; enterprise phase 11; structured phase 10
examiner and analyst role 183
exculpatory evidence 199–200, 207
extended model of cyber crime investigation 369–70, 370
external information sharing 164
external logs 27
external zone, IoT 276
extraction, transformation, and loading (ETL) function 347
FAIoT (forensics-aware IoT) model 281, 282
Federal Information Security Management Act (FISMA) 126
Federal Rules of Civil Procedure (FRCP) 84
Federal Rules of Evidence (FRE) 112, 122, 256; authenticity 32; legal systems 33; requirements, business record 33; Rule 902(11) 33; Rule 902(12) 34
file integrity monitoring (FIM) 25, 126, 155
file systems 187
financial services 65
FISMA (Federal Information Security Management Act) 126
Florida Computer Crimes Act 5
forensic: architectures 105–6; computer analysis 5; computing 5; investigations 15
forensics-aware IoT (FAIoT) model 281, 282
forensics readiness methodology: cloud forensics 225–42; IoT 272–87; mobile device forensics 248–67
forensics readiness program: benefits analysis 83–5; business requirement, stakeholders 81; cost assessment 82–3; digital evidence 80; implementation 85–6; objectives 81
forensics readiness scenarios: assessment 95; compliance, regulatory/legal requirements 93–4; contractual and commercial agreements 94–5; court-ordered data, release of 94; cybercrime, impact of 89–92; disciplinary actions 92–3
forensics soundness: authenticity and integrity 13–14; chain of custody 14–15; ESI 12–13; scientific principles 13
forensics toolkit: concept of 69; maintenance 71–2
formal education programs 239–40, 266, 285; Australia 385–6; Canada 386; England 386–8; India 388; Ireland 388; Italy 388; Netherlands 388; Scotland 389; South Africa 389; Sweden 389; United Kingdom 389; United State of America 389–93; Wales 393
form factor 271
four-step forensic process 372, 372
FRCP (Federal Rules of Civil Procedure) 84
FRE see Federal Rules of Evidence (FRE)
fruits of crime 3
Frye standard 208
full-disk encryption (FDE) 125
full-time equivalents (FTEs) 73
functional escalation 165, 165–6
functional impact prioritization 168, 168
functional knowledge 180
functional requirements 358
gap analysis 311
gathering phase: cloud forensic 237–8; IoT forensic 279–81; mobile device forensics 261–3
general awareness (continuing education) 178–9, 239, 265, 284
General Data Protection Regulation (GDPR) 203
generic computer forensic investigation model 378–9, 379
Global Positioning System (GPS) 113
good conflict regulations 94
good faith regulations 94
governance document maintenance 82
governance framework: digital forensics capabilities 68–9; documentation hierarchy 68, 68; enterprise 66–7, 67; information security (IS) 67; information technology (IT) 67
grid computing 220
guide metadata 114
Health Insurance Portability and Accountability Act (HIPAA) 126, 203
heuristical analysis 151
hierarchical escalations 164, 164
high-level digital forensics process model 21–2, 22; cloud forensic 225; IoT forensic 272; mobile device forensics 248
HIPAA (Health Insurance Portability and Accountability Act) 126, 203
hybrid cloud model 222
hyper-scale environments 223–4, 234
IaaS see infrastructure as a service (IaaS)
implementation factors, EDW: best-of-breed 353–4; business-driven 352; buy/build 353; eggs-in-one-basket 353–4; risk assessment 353; value/expectation 352
incident: and computer forensics, process model 375, 375; response 15, 188; vs. event 160
incident management lifecycle 83, 157, 158, 181; forensic readiness integration 158, 158–9; learn 171–2; preparation 159–66; respond 166–9; restore 169–71
incident response team (IRT) 172–4; digital forensics 174–5; team structure and models 161–3
incidents prioritization: functional 168, 168; informational 168, 168; recoverability 169, 169
inculpatory evidence 199–200, 207
indicator incidents 166
industry regulation 76
information: assurance 181; disclosure 90, 338; services, security controls 231
informational data 345
informational impact prioritization 168, 168
information security (IS) management: cyber security vs. 144; framework 136; governance 67; guidelines 36–7, 37; hierarchy of 35, 35; policies 35–6, 36; procedures 37–9; standards 37, 38
information technology (IT) 4; governance 67; law 203–4; service catalog 297
infrastructure as a service (IaaS) 221; security controls 229
infrastructure devices 29
infrastructure logs 27
infrastructure services, security controls 231–2
intangible costs 304
integrated digital investigation process 367, 367
integrity 13–14; checking 133–4; monitoring 126; threats 423–4
internal memory data objects, mobile devices 249–50
internal rate of return (IRR) 309
International Association of Computer Investigative Specialists (IACIS) 58
International Society of Forensics Computer Examiners (ISFCE) 58–9
internet abuse 176
Internet of Things (IoT): challenges with 270–2; characteristics 270; evidence gathering and processing 271–2; forensics toolkits 272; form factor 271; goal of 270; history 268–9; module 269, 270; privacy 271, 287; security 271, 287; trust zones 275–6, 276
internet protocol security (IPsec) 128
internet service providers (ISP) 97
interpersonal skills 190
interrogation 190
intrusion attempts 176
intrusion detection systems (IDS) 278
intrusion prevention systems (IPS) 117, 278
investigation principles 186
investigative final report 408–10
investigative process methodology 363; digital forensics readiness model 22–3, 23; existing process models 18–22; hardware and software 43–5; information security management 35–9; lab environment 39–43; operating procedures 45–9; presentation 50–1; processing 50
investigative time (IT) 73
investigative workflows 175–6, 394; broad audit process 398; cloud forensic 225, 236–8; incident management lifecycle 157–72, 158; IoT forensic 272, 278–84; IRT 172–5; mobile device forensics 260–5; process initiation 395; targeted forensics process 397; volatile data process 396
IoT see Internet of Things (IoT)
IoT devices: data types from 274; identifying approaches 279–80; types 273–4
IoT forensic 272; business risk scenarios 273; continuing education 284–5; data sources 273–4; evidence-based presentation 285–6; evidence, collection of 274–5; investigative workflows 272, 278–84; legal admissibility 275–6; legal review 286–7; report 284–6; secure storage and handling 276–7; targeted monitoring 277–8
iPhone device 244
IPsec (internet protocol security) 128
IRT see incident response team (IRT)
IS management see information security (IS) management
isolation models, cloud computing 222
Joint Test Action Group (JTAG) analysis 247
key performance indicators (KPIs) 334; guidelines 72; parameters 73; RC ratio 73–5
lab environment: construction 42–3; designing 40–2; planning 39–40
laid-back approach 298
landmark decision 207
law enforcement agencies 62, 84
laws and regulations: computer law 205–6; internet law/cyberlaw 204–5; IT law 203–4
learning phase, incidents 171–2
least privilege access 132, 132
legal admissibility: business records 121–2; cloud forensic 232–4; IoT forensic 275–6; mobile device forensics 256; preservation challenges 123; preservation strategies 124–30; technology-generated data 122; technology-stored data 122
legal advice: communication 211–12; constraints 210; disputes 210–11; employees 211; law enforcement agencies 212; liabilities 211; prosecution 211
legal aspects, technology crimes 16–17
legal counsel 83
legal precedence: Brady rule 207–8; Frye vs. Daubert standard 208–9; jurisdiction 209
legal review: cloud forensic 240–2; IoT forensic 286–7; laws and regulations 203–6; legal advice 210–12; legal precedence 207–9; mobile device forensics 267; technology counselling 209–10; technology in crime 201–3
legal studies 187
link analysis 153
local network zone, IoT 275
Locard’s exchange principle 11–12, 12
logbook 404
MAC (mandatory access control) 120
Malaysian investigation process 377, 377
malware infections 176
malware reverse engineering 188
MAM (mobile application management) 254, 259
managers role 184
mandatory access control (MAC) 120
master service agreement (MSA) 241–2
MCM (mobile content management) 259
MDM (mobile device management) 147, 254, 258–9
Message Digest Algorithm family (MD5) 14, 48, 120, 127, 235, 277
MFA (multi-factor authentication) 254
Microsoft threat modeling 340
mind maps, risk management 326
misuse detection technique 150–1
mobile application management (MAM) 254, 259
mobile content management (MCM) 259
mobile device forensics 248; business risk scenarios 248–9; continuing education 265–6; data sources 249–51; evidence-based presentation 266; evidence, collection of 251–6; investigative workflows 260–5; legal admissibility 256; legal review 267; secure storage and handling 257–8; targeted monitoring 258–60
mobile device management (MDM) 147, 254, 258–9
mobile devices 31, 187–8, 243; “burner” phones 247–8; challenges with 245–8; cloud storage 246; encryption 246–7; governance 252–3; history of 243–4; local storage 246; loss of 245; management methodologies 253, 255–6; replacement 246; safeguards and controls 254; security and configuration standards 253; theft of 245–6
mobile forensics 6
mobile security management (MSM) 258–9
modern security monitoring 146–7
MSA (master service agreement) 241–2
MSM (mobile security management) 258–9
multi-factor authentication (MFA) 254
multi-tenant isolation models 222
NAND flash memory 250
natural access controls 129
natural surveillance 129
natural territorial reinforcements 129
NDA (non-disclosure agreement) 293
near real-time data replication 139
net present value (NPV) 301, 309, 420
network: communications 128; devices 25, 97; monitoring systems 97
network access control (NAC) 254
network area storage (NAS) 52
network forensics 6, 15, 188; and analysis 181; generic framework for 377–8, 378
networking protocols 187
network time protocol (NTP) 113
next-best-thing (NBT) triage approach 282–3
next-gen security control layers 147
NIST Cloud Computing Security Reference Architecture 232
non-disclosure agreement (NDA) 293
non-repudiation threats 425
non-technical knowledge: advanced 191–2; intermediate 190–1; introductory 189–90
NOR flash memory 250
NPV see net present value (NPV)
object of crime 2
one-way cryptographic hash algorithm 235, 277
online analytical processing (OLAP) 345; features 346; operational databases and data warehouses 345
online transaction processing (OLTP) 345; features 346; operational databases and data warehouses 345
on-site triage decision tree 261–2, 262
open-source technologies 42
open systems interconnection (OSI) model 102
operating procedures, investigative workflow: authenticity 48; collection and preservation 48–9; scene documentation 46–7; search and seizure 47–8; securing scene 46
operational data 345
operational requirements 358
operational service catalog hierarchy 299
organizational roles and responsibilities 182; digital forensics team 183–5
overhead time (OT) 73
PaaS see platform as a service (PaaS)
Pareto principle 114
passive data 274
PASTA (Process for Attack Simulation and Threat Analysis) 340–1
patch applications 149
patch operating system 149
Payment Card Industry Data Security Standards (PCI DSS) 63, 76, 126, 203
PCI Forensics Investigator (PFI) certification 76
personal ethics 54
Personal Information Protection and Electronic Documents Act (PIPEDA) 241
personally identifiable information (PII) 99, 212, 287
persuasive precedent 207
PFI (PCI Forensics Investigator) certification 76
Philippine (PH) Cybercrime Prevention Act 205
phishing campaigns 7
phreaking 5
physical security controls 134–5; delay 130; deny 129–30; detect 129; deter 128–9
PII see personally identifiable information (PII)
plans, incident management 161
platform as a service (PaaS) 221; security controls 229
policies, incident management 160
political influences 77
positive security approach 147–8
precursor incidents 166
preparation phase: cloud forensic 236–7; IoT forensic 278–9; mobile device forensics 260–1
presentation phase: cloud forensic 238; IoT forensic 283–4; mobile device forensics 264–5
presentation services, security controls 231
present value (PV) assessment 307–10
preservation challenges 123
priority triad 357
private cloud model 221
privilege elevation 338
proactive approach 333
Process for Attack Simulation and Threat Analysis (PASTA) 340–1
processing module, IoT 269, 270
processing phase: cloud forensic 238; IoT forensic 281–3; mobile device forensics 263–4
process models: higher-level grouping 21–2, 22; law enforcement 19; methodologies 19, 20; phase frequencies 18, 21, 382
process regulations 94
professional 185; certifications 180; ethics 54
project control officer (PCO) 43
project management 191
project planning, EDW 354
proof of concept (POC) 42
protocol analysis 151
public cloud model 222
quantitative assessments 303, 322
random access memory (RAM) 13, 28, 30, 250
RBAC (role-based access control) 120
real-time monitoring systems 25
recoverability impact prioritization 169, 169
recovery time objective (RTO) 139
requirements analysis: assessments 357; defining 356; finalize 359; gathering 358; importance 355–6; interpret 358–9; report 437–43; scope definition 356–7; specification documents 360
resources: cloud computing environments 459; digital forensic publications 456; integrity monitoring compliance objectives 457–8; laws and regulations 458–9; management 191; mobile devices 460; risk management methodologies 458; tools and equipment 457
respond phase, incidents: analysis 166–7; detection 166; prioritization 168–9
restore phase, incident: containment 169–70; eradication 170; order of volatility 171; recovery 170
restrict administrative privileges 149
restrictive security controls 129
return on investment (ROI) 64, 297
risk assessment 321; ALE 323–4; ARO 323; methodologies and techniques 325; qualitative assessments 321–2; quantitative assessments 322; SLE 323; tools 324–5
risk likelihood-severity heat map 322
risk management lifecycle workflow 181, 320; communication 326, 327–33; responses 331; review 334–5, 335; variables 321; visualizing 326
role-based access control (RBAC) 120
RTO (recovery time objective) 139
SaaS (software as a service) 220–1, 229
Sarbanes–Oxley Act (SOX) 63, 76, 126, 203
scientific crime scene investigation model 366, 366
scripting 187
SDLC see system development life cycle (SDLC)
secure boot 50
Secure Hashing Algorithm (SHA) family 14, 120, 127, 235, 277
secure storage and handling: Administrative Governance Foundations 135–8; attributes 131–5; backup strategy 138–40; cloud forensic 234–5; IoT forensic 276–7; mobile device forensics 257–8; restoration strategy 138–40
secure storage attributes 131; end-to-end cryptography 132–3; integrity checking 133–4; least privilege access 132, 132; physical security 134–5
security: architectures 105–6, 189; investigations, types of 175–6; logs 27; monitoring 181; properties 89, 90; requirements 119–20
service catalog 70, 110, 411; business benefits 297–8; design considerations 298–300
service level agreements (SLA) 224
service level objectives (SLO) 104, 165, 300
service models, cloud computing 221
service zone, IoT 276
SHA see Secure Hashing Algorithm (SHA) family
shadow price 306
SIM data objects, mobile devices 249
simple pattern matching 151
single loss expectancy (SLE) 323
SLA (service level agreements) 224
SLO see service level objectives (SLO)
small and medium-sized business (SMB) 76
snowflake model 346
social regulations 93
software as a service (SaaS) 220–1, 229
software testing 294
SOP (standard operating procedures) 110, 125, 161
SOX see Sarbanes–Oxley Act (SOX)
specialist 185
special-purpose IoT devices 273–4
specification-based detection technique 152
stakeholder validation 312
standard operating procedures (SOP) 110, 125, 161
star model 346
stateful pattern matching 151
statement of work (SOW) 293, 360
static analysis 295
STIX (structured threat information expression) 336, 337
storage area networks (SAN) 52
storage capacity 118
storage security 125
strategic mindset 191
STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) scheme 338
structural metadata 114
structured phase 10
structured threat information expression (STIX) 336, 337
subject of crime 2
subject-oriented data 344
symbol of crime 3
systematic digital forensic investigation model 379–80, 380
system development life cycle (SDLC) 189, 294, 324, 355
systems development 189
systems lifecycle: agile model 107–8; waterfall model 106–7
system zone, IoT 276
tactics, techniques, and procedures (TTP) 167, 337
tangible costs 303
targeted monitoring: acceptable activity 141–2; analytical techniques 150–6; ASD 149–50; cloud forensic 235–6; enterprise security 142–7; implementation concerns 156; IoT forensic 277–8; mobile device forensics 258–60; positive security approach 147–8; unacceptable activity 141
taxonomy development methodology 313, 314; assess existing data 316; business requirements and value proposition 315–16; classification scheme 318–19; conduct surveys/interviews 316–17; create inventories 317–18; finalize 319; governance structure 319; organization role 314–15; team selection 314
team lead role 184
technical controls: cryptography 126–7; integrity monitoring 126; remote logging 127–8; secure delivery 128; storage security 125
technical execution 69
technical knowledge: advanced 188–9; intermediate 187–8; introductory 186–7
technical requirements 358
technical writing 190
technician role 183
technology-generated data 25, 122, 127–8
technology role in crime 2–3, 201–3
technology-stored data 25, 122, 273
The Pirate Bay (TPB) 205
threat: actors 167, 337–8; assessment matrix 423; modeling 89–90, 90, 181, 322, 336–8, 339–42, 343; risk matrix 342–3; tree workflow 339
threat risk assessment (TRA) 342, 421–5
time management 189
time value of money (TVM) 306
tool and equipment validation program: building program 291; gathering 292–4; preparation 292; presentation 296; processing 294; standards/baselines 287–8; validation 295–6; verification 294–5
tool of crime 3
top-down view, EDW 350
total cost of ownership (TCO) 353
TRA (threat risk assessment) 342, 421–5
traditional security monitoring 145–6, 146
transactional logs 27
transitional requirements 358
Trusted Cloud Initiative (TRI) SRI 232
trust zones, IoT 275–6; investigative zones vs. 283
TTP (tactics, techniques, and procedures) 167, 337
unacceptable activity 141
unauthorized access 176
United Kingdom (UK) Computer Misuse Act 205
U.S. Department of Justice (USDOJ) 3, 202
U.S. Electronic Communications Privacy Act 204
user acknowledgment and agreement 252–3
user and entity behavior analytics (UEBA) 155
U.S. Federal Computer Fraud and Abuse Act (1984) 6
utility computing 220
verbal informal reports 197
virtualization 29–30, 30, 226–7, 227
virtual machines (VM) 219
virtual private networking (VPN) 254
white box 294
wide area network zone, IoT 275
work hours (WH) 73
written reports: arrangement 198–9; formal 197; informal 197
zones of trust, IoT 275–6; vs. investigative zones 283