Digital Forensic Investigation Process Research
Order ID 53563633773 Type Essay Writer Level Masters Style APA Sources/References 4 Perfect Number of Pages to Order 5-10 Pages Description/Paper Instructions
Digital Forensic Investigation Process Research
Overview
A digital forensic investigation process can involve many steps and procedures. The objective is to obtain unbiased information in a verifiable manner using accepted forensic practices. In this project you will perform some of the steps necessary for setting up an investigation. These steps include designing interview questions that establish the needs of the case and focus your investigative efforts. You will also determine what resources may be needed to conduct the investigation. Once you have this information, you will be able to develop an investigation plan that properly sequences activities and processes allowing you to develop time estimates and contingency plans should you encounter challenges in the investigation.
This particular situation involves two computers and a thumb drive. After clear authorization to proceed has been obtained, one of the first investigative decision points is whether to process the items of evidence individually or together. Processing computers individually makes sense when they are not likely tied to the same case. However, if the computers are linked to the same case, there can be advantages in processing them together.
There are four steps in this project. In Step 1, you will develop interview protocols and identify documentation needs for a forensic investigation. In Step 2, you will identify resources needed for the investigation. In Step 3, you will develop a plan for conducting the investigation, and in Step 4, you will consolidate your efforts in the form of a single document to be submitted to your supervisor. The final assignment in this project is a planning document with a title page, table of contents, and distinct section for each of the three steps in the project
Let’s get started! In Step 1 you use an interview template to record questions, keywords, and authorization information, and to complete the legal forms that will be needed in this case. Before you can do that, you need to review your training in criminal investigations.
Self-check your work:
Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
2.2: Locate and access sufficient information to investigate the issue or problem.
4.1: Lead and/or participate in a diverse group to accomplish projects and assignments.
5.1: Demonstrate best practices in organizing a digital forensic investigation.
5.2: Utilize Project Management principles in an investigation
Step 1: Complete Preliminary Work
In Step 1 you recall your training in criminal investigations, in which you covered the laws governing chain of custody, search warrants, subpoenas, jurisdiction, and the plain view doctrine. You also review forensic laws and regulations that relate to cybercrime, as well as rules of digital forensics in preparation for your digital forensic investigation. Next, you read the police report and perform a quick inventory of devices that are thought to contain evidence of the crime. You have set up a meeting with the lead detectives and the prosecutor handling the case.
You have received an official request for assistance which provides you with authority to conduct the investigation. You realize it will be impossible to produce a detailed investigation project plan prior to your meeting with the detectives and the prosecutor. First you need to develop a series of questions to establish the key people and activities. These questions should address potential criminal activity, timelines, and people who need to be investigated.
It is also important to determine whether different aspects of the case are being pursued by other investigators and to include those investigators on your contact list. In addition, some situations may involve organizations or individuals who need to adhere to various types of industry compliance. This situation may require you to follow special procedures.
Your tasks in Step 1 are to create an interview form to record questions, keywords, and authorization information, and to designate the legal forms that will be needed in this case. The forms that you complete as part of Step 1 will be included in your “Investigation Project Plan”– the final assignment for this project.
In Step 2 you will consider the types of resources needed for the investigation.
Step 2: Determine What Is Needed for the Investigation
In Step 1 you developed the forms and templates needed to collect the legal, criminal, and technical information that lays the groundwork for your investigation. In Step 2, you consider the types of resources needed to conduct the investigation. By making these preparations, you are establishing forensic readiness. Required resources can include people; tools and technologies such as RAID disks, deployment kits, or imaging programs; and budget and timeline information. Develop your checklist. It will be included in your final “Investigation Project Plan.” In Step 3 you will prepare a plan for managing a digital forensic investigation.
Step 3: Develop a Plan
In the prior step, you determined what resources would be necessary for your investigation. In Step 3 you develop a plan for managing the investigation. Reporting requirements reflect the step-by-step rigidity of the criminal investigation process itself. Being able to articulate time, task, money, and personnel requirements is essential.
Project management is a skill set that is not often linked to digital forensics and criminal investigations. That is unfortunate because effective project management can have a dramatic impact on the success and accuracy of an investigation. Identifying the tasks that need to be performed, their sequence, and their duration are important considerations, especially in the face of “wild cards” such as delays in obtaining correct search warrants and subpoenas. It is also important to have a clear understanding of the goals for the investigation as you will likely be called upon to present conclusions and opinions of your findings.
Your project plan should include properly sequenced evidence acquisition and investigation processes, time estimates, and contingency plans. Your plan will serve many purposes including the assignment of a project budget. As you create your plan, be sure to include communications and reporting—who should be involved, how the activities should be carried out, how often, and under what circumstances (i.e., modality, frequency).
Once you have developed your project management plan, move on to Step 4 where you will submit your final assignment.
Step 4: Submit Completed Investigation Project Plan
For your final assignment, you will combine the results of the previous three steps into a single planning document—an “Investigation Project Plan”—with a title page, a table of contents, and a distinct section for each of the three steps. The Plan should include:
Forms documenting key people, key activities, timeline, keywords, authorization (ownership, jurisdiction), and related investigations. Designation of the Legal forms required for criminal investigations should also be included. (Step 1) 2 pages
Resource list (Step 2) 1page
Management plan (Step 3) 3 pages
Introduction ½ page and conclusion ½ page
All sources of information must be appropriately referenced. Submit your completed “Investigation Project Plan” to your supervisor for evaluation upon completion.
Step 1: design interview questions that establish the needs of a case,
Step 2: determine the resources needed to conduct the investigation,
Step 3: develop an investigation plan, and
Step 4: consolidate the previous steps into one project plan
Definitions: If you use this, refences have been included
Forensic Laws and Regulations
Laws governing electronic evidence in criminal investigations have two primary sources: the Fourth Amendment and privacy laws. How familiar are you with legislation related to digital crimes and electronic evidence? Why is familiarity with these laws important to the forensic examiner?
The relevant laws require proper warrants before electronic evidence can be seized and processed. Legislation exists at both the state and federal levels that criminalizes hacking systems directly; hacking via telecommunication infrastructure, wire-tapping/sniffing, and voice and data; and use of a computer for child exploitation. In addition, organizations may have their own proper use policies that provide a basis for an internal investigation of one or more employee’s electronic evidence. Crimes involving violation of privacy laws such as HIPAA may also require forensic investigation to determine the scope and details of the violation.
References
Charters, I. (2009). The evolution of digital forensics: Civilizing the cyber frontier. Retrieved from http://www.guerilla-ciso.com/wp-content/uploads/2009/01/the-evolution-of-digital-forensics-ian-charters.pdf
Jarrett, H.M., Bailie, M.W., Hagen, E., Judish, N. (n.d.). Searching and seizing computers and obtaining electronic evidence in criminal investigations. OLE Litigation Series. Retrieved from https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf
Rules of Digital Forensics
Digital forensics examinations can be complicated, technical processes. There are also many laws and best practices that must be followed precisely and methodically in order to ensure the evidence will be admissible in a court of law. Not only does the forensic examiner need to be competent—and perhaps licensed in the jurisdiction—but, they need to also learn and keep current with best practices, tools, and techniques for processing electronic evidence.
What is the first thing you should do when processing a desktop computer for digital evidence? Unplug it? What if you wipe evidence from volatile memory when you unplug it? How can you move the evidence to the forensics lab if you don’t unplug it? The evidence must be handled minimally and properly.
How can an examiner provide absolute assurance that the electronic evidence has not been altered from the original? Should the examination be performed on the original electronic evidence or should a copy be made and then the examination proceeds with the copy? How does the examiner know that a copy of the electronic evidence is an exact duplication when and if copies are created?
References
Step Diagram Learning Object. (n.d.). Retrieved from https://content.umuc.edu/file/42e7ee70-c6ee-4fe0-b87a-9693f21c7a74/1/StepDiagram.html
Jarrett, H.M., Bailie, M.W., Hagen, E., Judish, N. (n.d.). Searching and seizing computers and obtaining electronic evidence in criminal investigations. OLE Litigation Series. Retrieved from https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf
Criminal Investigations
Investigation of electronic evidence involves searching, interviewing, interrogating, collecting, and preserving evidence. This process starts with planning and concludes with a formal report of the relevant electronic evidence. Electronic evidence must be relevant and handled in a forensically correct manner using proper processes, tools, and chain of custody to ensure authenticity and documented control of the evidence.
Charters, I. (2009). The evolution of digital forensics: Civilizing the cyber frontier. Retrieved from http://www.guerilla-ciso.com/wp-content/uploads/2009/01/the-evolution-of-digital-forensics-ian-charters.pdf
RAID Disks
Redundant Arrays of Inexpensive Disks (RAID) is a hard drive technology intended to improve reliability and prevent data loss should a hard drive failure occur. Within this technology, multiple physical disks are utilized to provide limited interruption should one disk fail. This technology is not limited to server class machines and is also found on some desktop computers. RAID technology presents forensics examiners with unique challenges since there are multiple physical disks constituting a single logical hard drive. A controller that may or may not be present in the examiner’s lab manages the disks.
What special tools and techniques are needed when RAID disks are encountered? What choices may an investigator be faced with in this circumstance? Is it possible to recover data for examination if one or more of the RAID disks are damaged?
References
RAID Reassembly-A Forensic Challenge. (n.d.). Retrieved from http://pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html
Deployment Kits
There are many tools and supplies that a forensic examiner needs to gather before heading to the crime scene. Some vendors offer kits with most everything an examiner needs for a typical scenario. What is contained in some of the stock kits? What other items might you need that are not included in the kit?
This is an area where a detailed checklist and a high level of organization can pay off. You need to be able to safely and securely transport your kit and potentially the evidence. The items you may need will comprise a very long list. Some of the things you will need include blank, formatted hard disks, a camera (with a fresh battery and plenty of room on internal storage), a forensic laptop that is fully charged and prepped with all software needed, write blockers, and cables of all shapes and sizes. Don’t forget the labels, magic markers, resealable zipper storage bag, and perhaps even rubber gloves should you choose not to touch the keyboard.
What else do you need? How do you prep your kit? Where do you store your kit?
References
US Department of Justice. (2004). Forensic examination of digital evidence: A guide for law enforcement. Retrieved from https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
VPER-Versatile Preservation & Examination Responder Kit. (n.d.). Digital Intelligence. Retrieved from http://www.digitalintelligence.com/products/vper/