A digital forensic investigation process can involve many steps and procedures. The objective is to obtain unbiased information in a verifiable manner using accepted forensic practices. In this project you will perform some of the steps necessary for setting up an investigation. These steps include designing interview questions that establish the needs of the case and focus your investigative efforts. You will also determine what resources may be needed to conduct the investigation. Once you have this information, you will be able to develop an investigation plan that properly sequences activities and processes allowing you to develop time estimates and contingency plans should you encounter challenges in the investigation.
This particular situation involves two computers and a thumb drive. After clear authorization to proceed has been obtained, one of the first investigative decision points is whether to process the items of evidence individually or together. Processing computers individually makes sense when they are not likely tied to the same case. However, if the computers are linked to the same case, there can be advantages in processing them together.
There are four steps in this project. In Step 1, you will develop interview protocols and identify documentation needs for a forensic investigation. In Step 2, you will identify resources needed for the investigation. In Step 3, you will develop a plan for conducting the investigation, and in Step 4, you will consolidate your efforts in the form of a single document to be submitted to your supervisor (i.e., your instructor). The final assignment in this project is a planning document with a title page, table of contents, and distinct section for each of the three steps in the project
Let’s get started! In Step 1 you use an interview template to record questions, keywords, and authorization information, and to complete the legal forms that will be needed in this case. Before you can do that, you need to review your training in criminal investigations.
• 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
• 2.2: Locate and access sufficient information to investigate the issue or problem.
• 4.1: Lead and/or participate in a diverse group to accomplish projects and assignments.
• 10.1: Demonstrate best practices in organizing a digital forensic investigation.
• 10.2: Utilize Project Management principles in an investigation.
STEP 1 PRELIMINARY WORK :
Next, you read the police report and perform a quick inventory of devices that are thought to contain evidence of the crime. You have set up a meeting with the lead detectives and the prosecutor handling the case.
You have received an official request for assistance which provides you with authority to conduct the investigation. You realize it will be impossible to produce a detailed investigation project plan prior to your meeting with the detectives and the prosecutor. First you need to develop a series of questions to establish the key people and activities. These questions should address potential criminal activity, timelines, and people who need to be investigated. It is also important to determine whether different aspects of the case are being pursued by other investigators and to include those investigators on your contact list. In addition, some situations may involve organizations or individuals who need to adhere to various types of industry compliance. This situation may require you to follow special procedures.
Your tasks in Step 1 are to create an interview form to record questions, keywords, and authorization information, and to designate the legal forms that will be needed in this case. The forms that you complete as part of Step 1 will be included in your “Investigation Project Plan”– the final assignment for this project.
Step 2: Determine What Is Needed for the Investigation
In Step 1 you developed the forms and templates needed to collect the legal, criminal, and technical information that lays the groundwork for your investigation. In Step 2, you consider the types of resources needed to conduct the investigation. By making these preparations, you are establishing forensic readiness. Required resources can include people; tools and technologies such as RAID disks, deployment kits, or imaging programs; and budget and timeline information. Develop your checklist. It will be included in your final “Investigation Project Plan.” In Step 3 you will prepare a plan for managing a digital forensic investigation.
Step 3: Develop a Plan
In the prior step, you determined what resources would be necessary for your investigation. In Step 3 you develop a plan for managing the investigation. Reporting requirements reflect the step-by-step rigidity of the criminal investigation process itself. Being able to articulate time, task, money, and personnel requirements is essential.
Reporting Requirements
Final reports that detail the examination and evidence must be written and written well for multiple audiences. The writer should bear in mind that the audience for the report will have both technical and nontechnical backgrounds. Summary-level and detail-level information must be clearly communicated within the report.
The report must be comprehensive and convincing. The report will include facts and expert opinions. The report should be well organized and include not only the evidence found but also the methods used and illustrations such as photographs of the physical computer evidence as well as screenshots of the software used to process the evidence.
It is important to include log file content from the tools used to image and process the evidence. These logs will show important steps the examiner has taken such as appropriate use of write blocker.
The electronic format of the final report should be in noneditable format, such as PDF.
What are some of the detailed items that should be included in the report? What should be excluded? Are there standard templates or reports that are generated through popular examination tools such as Encase?
Project management is a skill set that is not often linked to digital forensics and criminal investigations. That is unfortunate because effective project management can have a dramatic impact on the success and accuracy of an investigation. Identifying the tasks that need to be performed, their sequence, and their duration are important considerations, especially in the face of “wild cards” such as delays in obtaining correct search warrants and subpoenas. It is also important to have a clear understanding of the goals for the investigation as you will likely be called upon to present conclusions and opinions of your findings.
Your project plan should include properly sequenced evidence acquisition and investigation processes, time estimates, and contingency plans. Your plan will serve many purposes including the assignment of a project budget. As you create your plan, be sure to include communications and reporting—who should be involved, how the activities should be carried out, how often, and under what circumstances (i.e., modality, frequency).
Once you have developed your project management plan, move on to Step 4 where you will submit your final assignment.
For your final assignment, you will combine the results of the previous three steps into a single planning document—an “Investigation Project Plan”—with a title page, a table of contents, and a distinct section for each of the three steps. The Plan should include:
- Forms documenting key people, key activities, timeline, keywords, authorization (ownership, jurisdiction), and related investigations. Designation of the Llegal forms required for criminal investigations should also be included. (Step 1)
- Resource list (Step 2)
- Management plan (Step 3)
All sources of information must be appropriately referenced. Submit your completed “Investigation Project Plan” to your supervisor (your instructor) for evaluation upon completion.