3.4 Identify type of evidence used based on provided logs
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. What is Corroborative Evidence?
Corroborative evidence is information that supports or confirms other evidence in an investigation. It doesn’t prove something on its own, but it backs up your main findings and makes your investigation more reliable.
Think of it as multiple pieces of evidence pointing to the same conclusion. The more corroborative evidence you have, the stronger your case.
2. Why is Corroborative Evidence Important in IT Security?
- Strengthens findings: Confirms that suspicious activity is real.
- Reduces mistakes: Helps avoid false conclusions if one log or alert is misleading.
- Supports reporting: Useful when writing reports for management, auditors, or legal teams.
- Helps in investigations: Shows patterns and relationships between events.
3. Types of Corroborative Evidence in IT Environments
Here are examples of how corroborative evidence can appear in IT security investigations:
a. Network Logs
- Logs from firewalls, routers, or switches.
- Example: If your intrusion detection system (IDS) alerts on a suspicious login from IP
192.168.1.50, you check network logs to see if this IP accessed other systems. If it did, the network log corroborates the IDS alert.
b. Server or System Logs
- Logs from Windows Event Viewer, Linux syslog, or application logs.
- Example: A system log shows multiple failed login attempts on a server. If your SIEM also shows a spike in login failures at the same time, the system log corroborates the SIEM alert.
c. Security Tools
- Antivirus, EDR (Endpoint Detection and Response), or SIEM tools.
- Example: Antivirus detects malware on a workstation. If the firewall logs show outgoing connections to a known malicious IP at the same time, the firewall log corroborates the malware detection.
d. File or Data Access Logs
- Access logs from databases, shared drives, or cloud services.
- Example: A file integrity monitoring system shows a critical configuration file was modified. If audit logs also show a user logged in and accessed the same file, the audit log corroborates the file modification alert.
4. How Corroborative Evidence is Used in Practice
When investigating an incident, you typically:
- Collect primary evidence – the initial logs or alerts that show suspicious activity.
- Collect corroborative evidence – other logs or records that confirm or support the primary evidence.
- Analyze the evidence together – compare timestamps, IP addresses, usernames, and system actions.
- Draw conclusions – with corroborative evidence, you have more confidence in your findings.
Example Workflow in IT Context:
- SIEM alert: “Suspicious login from foreign IP.”
- Firewall log: Shows the same IP accessed the network. ✅ Corroborates the alert.
- Server log: Same user account performed unusual commands. ✅ Further corroboration.
- Antivirus log: Detects a file downloaded from the same source. ✅ Even stronger support.
Now, your investigation is backed by multiple sources, making your findings solid.
5. Key Points for the Exam
- Corroborative evidence supports other evidence, it does not usually prove anything by itself.
- Examples include: network logs, system logs, SIEM/EDR alerts, database/file access logs.
- Helps confirm incidents, reduce errors, and strengthen investigation reports.
- Often used in combination with primary evidence to show a clear picture.
6. Quick Memory Tip
Think of corroborative evidence like backup singers in a band: the lead singer (primary evidence) grabs attention, but the backup singers (corroborative evidence) support and make the performance stronger and more convincing.
