Question

List and describe common technical and regulatory steps of a forensic investigation from beginning to the end.

Answer 1

The field of computer forensics investigation is growing, especially as law enforcement and legal entities realize just how valuable information technology (IT) professionals are when it comes to investigative procedures. With the advent of cybercrime, tracking malicious online activity has become crucial for protecting private citizens, as well as preserving online operations in public safety, national security, government and law enforcement. Tracking digital activity allows investigators to connect cyber communications and digitally-stored information to physical evidence of criminal activity; computer forensics also allows investigators to uncover premeditated criminal intent and may aid in the prevention of future cybercrimes.

There are 8 steps for a forensic investigation

1.Prepare: you have to prepare specific forensics training, and all corporate policies and procedures, as well as practice investigations and examinations, which will prepare you for an “event.”

2.Identify: When approaching an incident scene—review what is happening on the computer screen. If data is being deleted, pull the power plug from the wall; else, perform real-time actions. Identify whatever is happening around.

3. Preserve: Once the system-specific “volatile” data is retrieved, then turn off the machine, remove it from the scene, and power it up in an isolated environment. Perform a full system image capture of the data on the machine and hash the image with original data to verify.

4. Select: Once you have a verified copy of the available data, start the investigation of data by selecting potential evidence files, datasets, and locations data could be stored.

5.Examine: Check for potential hidden storage locations of data such as slack space, unallocated space, and in front of File Allocation Table (FAT) space on hard drives.Also check-in registry entries or root directories for additional indicators of data storage activity.

6. Classify: Evaluate data in potential locations for relevance to the current investigation. Check the relevancy of the data found.

7.Analyze: Review data from relevant locations. Ensure data is readable, legible, and relevant to the investigation.

8. Present: Correlate all data reviewed to investigation papers (warrants, corporate documents, etc.). Prepare data report for presentation