Digital Forensics Investigative Plan
Meeting Agenda 5 4. Forensic Readiness 5 5. Focus of the Examination 5 Tools Needed For the Investigation 6 People Involved in the Examination Process 6 6. Cost of Examination 6 7. Timeline of Investigation 7 8. It is imperative to ensure forensic readiness in handling cyber incidents properly. The digital forensics plan will guide an individual from initial notifications to device acquisition following with the complete examination process. The plan should address the approach to data breaches, how to effectively execute searches, steps for legal compliance and more. This paper discusses comprehensive guidelines that can be used as reference framework in supporting a digital forensic investigation. Moreover, it addresses the challenge of making digital evidence admissible in court. The examination should include thorough documentation and clear communication. The overall agenda should focus on: examination of evidence, the timeline of the events, acquisition and handling of data, investigating logically, legally and physically, data leakage and use of keywords (Hart, Ashcroft and Daniels, 2004).
Forensic Readiness Preparedness involves operational and infrastructure readiness of an organization to effectively support the process of digital forensic investigation (Carrier and Spafford, 2003). Readiness ensures reduced cost of investigation such as recognition, search, collection and documentation of digital evidence. Furthermore, it decreases frequency and impact of threats as possible indicators are found before the threats occur. A detailed examination helps identify hypothesis, assumptions and even deviations based on the evidence available to drive the investigations forward. The first task is to identify the people involved on in the dispute and who is the focus of the examination. Tools Needed For the Investigation (1) Encase (2). ILOOKIX (3). ProDiscover (4). Personnel cost in terms of training and use of professional assistance in extracting data from digital media.
As Tan (2001) notes, usually a few hours of intrusion can lead to a lot of time in evaluation of the incidents. Overall, the basic cost of investigation can vary depending on specific factors. Factors include number of devices, priority of investigation, evidence acquired, number of individuals involved, and tools needed. Such factors can determine the cost of a forensic examination. This is an important factor in the investigation. A discrepancy at this stage could endanger the entire investigation. If a search has been initiated unlawfully the evidence is no longer admissible in court. Evidence Management Evidence handling procedures are critical in qualification and disqualification of the forensic evidence in a court of law. Strict adherence to policies and procedures is critical in evidence management.
Without documented probable cause, unwarranted computer searches can create issues in the investigation. It is important to establish the search scope before applying for a search warrant. Understanding what you are looking for and where you need to look. Figure 3 Search Warrant Chain of Custody A forensic investigator must prove in a court of law that all measures were taken to uphold the integrity of the evidence presented. Chain of custody as a means of evidence control, offers proof that digital evidence was unaltered, contaminated or replaced (Hart, Ashcroft and Daniels, 2004). Figure 6 Removal Media Worksheet Hard Drive Evidence Careful handling of the hard drive is necessary in forensic examinations. Hard disks are important sources of evidence. Presence of hair or fingerprints on the hard drive as well as labels and contents in hard drive can be crucial leads in the digital forensic investigation (Hart, Ashcroft and Daniels, 2004).
Keep in mind that both the physical evidence present and stored data acquired is of importance. Cautious evidence handling is critical in preserving the integrity of physical and digital evidence obtained during a digital forensic investigation. What To Consider • Scope of authority to search • Internal and external personnel • IT competency skills in within the organization. Employee and users as IT professional within an organization offer useful information such as aliases, passwords, internet service providers, file management and configurations of the network (Hart, Ashcroft and Daniels, 2004). Personnel interaction allows the forensic investigator to assess the competences of the user in destroying and hiding digital evidence (Tan, 2001). Usually, users with programming skills, strong analytical and knowledge in operating system and applications are key sources of information as well as possible parties of interest.
More so, interviews may help reveal evidence of other unethical activities related to the subject under investigation (Hart, Ashcroft and Daniels, 2004). Some of the specific Investigative questions may include: • Who was the first person to identify the illegal activity? • Does all computer have data encryption enabled? • Is there a printed diagram of the computer topology available to the staff? 1st and 4th Amendment Issues The 1st and 4th amendment protect personal liberties. Specifically, the 4th amendment offers specific guidelines when addressing forensic issues such as search and seizure. A forensic investigator working under the request from government cannot obtain or seize incriminating evidence without consent of an individual, a search and seizure warrant, as it risks inadmissibility of the evidence in court (Hart, Ashcroft and Daniels, 2004).
A court issues a warrant after indication of probable cause. Warrantless collection of digital evidence can result in the evidence being inadmissible, as its opens opportunity for civil ligation due to infringement of rights and freedom enshrined in the 1st and 4th amendment (Federal Evidence Review, 2009). • The contingency plan should be update periodically when changes occur. • The contingency plan should aid in supporting the forensic investigation process, offer guidelines for recovery of data and reconstruction of the operation incase incident occurs to ensure continuity of operations. Reference Ademu, I. O. Imafidon, C. International Journal of digital evidence, 2(2), pp. Federal Evidence Review (FRE). Federal rules of evidence. Retrieved from: www. FederalEvidence. Rowlingson, R. A ten-step process for forensic readiness. International Journal of Digital Evidence, 2(3), pp.
Selamat, S. R. Tan, J. Forensic readiness. Cambridge, MA 02139 USA Stake, pp. U. S Department of Homeland Security.
From $10 to earn access
Only on Studyloop