Investigation Process

Understand the Forensic Investigation Process and its Importance

This section presents an overview of the forensic investigation process and outlines the need to follow a well-documented and thorough investigation process.

The computer forensics investigation process includes a methodological approach to investigate, seize, and analyze digital evidence and then manage the case from the time of search and seizure to reporting the investigation result.

---

Importance of Forensic Investigation Process

As digital evidence is fragile in nature, following strict guidelines and thorough forensic investigation process that ensures the integrity of evidence is critical to prove a case in court of law.

The forensic investigation process to be followed should comply with local laws and established precedents. Any breach/deviation may jeopardize the complete investigation.

The investigators must follow a repeatable and well-documented set of steps, such that every iteration of analysis provides the same findings. Else, the findings of the investigation can be invalidated during the cross examination in court of law.

---

Phases Involved in the Forensic Investigation Process

• Pre-investigation Phase: This phase involves all the tasks performed prior to the commencement of the actual investigation. It involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit, building an investigation team, gaining approval from the relevant authority, etc. This phase also includes steps such as planning the process, defining mission goals, and securing the case perimeter and involved devices.

• Investigation Phase: Considered to be the main phase of computer forensics investigation, the investigation phase involves the acquisition, preservation, and analysis of evidentiary data to identify the crime source and culprit. This phase involves implementing technical knowledge to locate the evidence and examine, document, and preserve the findings as well as the evidence. Trained professionals perform all the tasks involved in this phase to ensure the quality and integrity of the findings.

• Post-investigation Phase: This phase involves the reporting and documenting of all actions undertaken and the findings obtained during the course of the 5investigation. It ensures that the target audience can easily understand the report and that it provides adequate and acceptable evidence. Every jurisdiction has set standards for reporting findings and evidence; the report should comply with all such standards as well as be legally sound and acceptable in a court of law.

---

Pre-Investigation Process

The pre-investigation phase involves all the tasks performed prior to the commencement of the actual investigation. This phase includes steps such as planning the process, defining mission goals, and getting approval from relevant authority.

---

Setting Up a Computer Forensics Lab

A computer forensics lab (CFL) is a designated location for conducting a computerbased investigation of the collected evidence in order to solve the case and find the culprit. The lab houses the instruments, software and hardware tools, and the forensic workstations required to perform investigation of all types.

---

Building the Investigation Team

The investigation team plays a major role in solving a case. The team is responsible for evaluating the crime, evidence, and criminals. Every team member should be assigned a few specific tasks (roles and responsibilities) that let the team analyze the incident easily.

The guidelines for building the investigation team are as follows: • Identify the team members and assign them responsibilities • Appoint a person as the technical lead for the investigation • Keep the investigation team as small as possible to achieve confidentiality and avoid information leaks • Provide each team member with the necessary clearance and authorization to complete the assigned tasks • Enlist help from a trusted external investigation team, if required

People in the Team:

• Photographer

• Incident Responder

• Incident Analyzer

• Evidence Examiner

• Evidence Documenter

• Evidence Manager

• Expert Witness

• Attorney

---

Understanding the Hardware and Software Requirements of a Forensic Lab

A digital forensic lab should have all the necessary hardware and software tools to support the investigation process, starting from searching and seizing the evidence to reporting the outcome of the analysis. Familiarity with the investigation toolkit makes the entire process quicker and more efficient. A sophisticated investigation toolkit that includes both hardware and software can reduce the incident impact by stopping the incident from spreading to other systems. This will minimize the organization’s damage and aid the investigation process as well.

Hardware • Two or more forensic workstations with good processing power and RAM • Specialized cables • Write-blockers • Drive duplicators • Archive and Restore devices • Media sterilization systems • Other equipment that allows forensic software tools to work • Computer Forensic hardware toolkit, such as Paraben's First Responder Bundle,

Software • OSes • Data discovery tools • Password-cracking tools • Acquisition tools • Data analyzers • Data recovery tools • File viewers (Image and graphics) • File type conversion tools • Security and Utilities software • Computer forensic software tools such as Wireshark, Access Data’s FTK, etc.

---

Investigation Process

After obtaining the required permissions and having assessed the case prerequisites, the investigator is ready to investigate the incident. The investigation phase and post investigation phase include various stages and processes that need careful and systematic execution to obtain better results. Each step in this phase is equally crucial for the acceptance of the evidence in a court of law and prosecution of the perpetrators.

---

Investigation Methodology

Documenting the Electronic -> Search and Seizure -> Evidence Preservation -> Data Acquisition -> Data Analysis -> Case Dara anaysis -> Reporting -> Testifing an an expret bitness

---

Documenting the Electronic Crime Case

Documenting the Electronic Crime Scene is necessary to maintain a record of all the forensic investigation processes performed to identify, extract, analyze and preserve evidence.

Points to remember when documenting the crime scene:

• Document the physical scene, noting the position of the system and other equipment (if any)

• Documenting details of any related or difficult-to-find electronic components

• Record the state of computer systems, digital storage media, and electronic devices including their power status.

• Take a photograph of the computer monitor’s screen and note down what you see on the screen

---

Search and Seizure

The investigators should have in-depth knowledge of all the devices that could have played a part in transmitting the attack data to the victim device. They should be able to search for all the involved devices and seize them in a lawful manner for the acquisition and analysis of the evidential data.

The diagram above shows the search and seizure process.

Planning the search and seizure -> Initial search of scene -> Securing and evaluating the crime scene -> Seizing evidence at crime scene

---

Planning the Search and Seizure The

investigators need to design a strategic process to conduct the search and seizure activity. This will help them distribute tasks among the team members to complete the seizure and allow the team to use time and tools in a well-defined manner.

The search and seizure plan should include the following details: • Description, title, and location of the incident • Applicable jurisdiction, relevant legislation, and organizational policy • Determining the extent of authority to search • Creating a chain of custody document • Details of equipment to be seized, such as structure type and size, location (all in one place, spread across the building or floors), type of device and model number, power status, network status and type of network, backups (if any), last time and date, location of backup and if it is necessary to take the server down and the business impact of this action • Search and seizure type (overt/covert) and approval from the local management • Health and safety precautions, such as all forensic teams wearing protective latex gloves for all searching and seizing operations onsite to protect the staff and preserving any fingerprints that may come handy in the future

The investigating team cannot jump into the action immediately after chalking out a plan for search and seizure; they must follow a specific protocol and perform some legal formalities that include obtaining warrant, collecting information about the incident, and seeking authorization and consent.

---

Evidence Preservation

Evidence Preservation refers to the proper handling and documentation of evidence to ensure that it is free from any contamination

Also physical and/or digital evidence seized should be isolated, secured, transported and preserved to protect its true size

At the time of evidence transfer, both the sender and the receiver need to provide information about the data and time of transfer in the chain of custody record.

The procedures used to protect the evidence and document it while collecting amd shipping are as follows:

• The logbook of the project

• A tag to unique identify any evidence

• A chain of custody record

---

Data Acquisition

During the investigation of digital devices, all the evidence may be present in the form of data. Therefore, the investigators should have expertise in acquiring the data stored across various devices in different forms. Data acquisition is the use of established methods to extract Electronically Stored Information (ESI) from a suspect computer or storage media in order to gain insight into a crime or an incident. Forensic data acquisition is a process of imaging or collecting information from various media in accordance with certain standards in order to analyze its forensic value. Investigators can then forensically process and examine the collected data to extract information relevant to any particular case or incident while protecting the integrity of the data. It is one of the most critical steps of digital forensics as any improper acquisition may alter data in evidence media and render it inadmissible in the court of law.

Forensic investigators should be able to verify the accuracy of acquired data, and the complete process should be acceptable and reproducible in the court. Before acquiring the data, the investigator needs to ensure that their storage device is forensically clean and then initiate write protection to secure and protect original evidence.

---

Data Analysis

Data analysis refers to the process of examining, identifying, separating, converting, and modeling data to isolate useful information.

Here, data analysis techniques depend on the scope of the case or client’s requirements and the type of evidence.

This phase includes the following: • Analyzing the file content for data usage • Analyzing the date and time of file creation and modification • Finding the users associated with file creation, access, and file modification • Determining the physical storage location of the file • Timeline generation • Identifying the root cause of the incident

---

Case Analysis

Case analysis is the process of relating the obtained evidential data to the case in order to understand how the complete incident took place.

Case analysis might help the investigators in determining future actions, such as the following:

• Check if there is a possibility to follow other investigative methods to, for instance, identify a remote storage location, examine network service logs for any information of evidentiary value, collect case-specific evidence from social media, identifying remote storage locations etc.)

• Gather additional information related to the case (e.g., aliases, email accounts, ISP used, names, network configuration, system logs, and passwords) by interviewing the respective individuals.

• Identify the relevance of various network elements to the crime scene such as credit cards, check papers, scanners, and cameras

• Consider the relevance of peripheral components to the investigation; for instance, in forgery or fraud cases, consider non-computer equipment such as laminators, check paper, scanners, printers, and digital cameras

---

Post-Investigation Phase

The responsibility of the investigators does not end with finding and analyzing the evidence data. They should also be able to explain how they arrived at the conclusion to the prosecutors, attorneys, and judges. The post-investigation phase involves the reporting and documentation of all the actions undertaken and the findings during the course of an investigation and the procedure of testifying as an expert witness in the court.

This section provides guidelines on how to write an investigation report and testify as an expert witness.

---

Gathering and Organizing

Information Documentation in each phase should be identified to decide whether it is appropriate to the investigation and should be organized in specific categories.

Procedures Following are the procedures for gathering and organizing the required documentation:

• Gather all notes from different phases of the investigation process

• Identify the facts to be included in the report for supporting the conclusions

• List all the evidence to submit with the report • List the conclusions that need to be in the report

• Organize and classify the information gathered to create a concise and accurate report

---

Writing the Investigation Report

Report writing is a crucial stage in the forensic investigation process, as it summarizes the whole investigation into a readable report to be presented in a court of law. Based on the accuracy and certainty of this report, the court will prosecute the suspects.

The report should be clear, concise, and written for the appropriate audience. The report should be in the local language if necessary and devoid of any jargon. It should include only the data related to the case and the evidence. Every statement should have a supporting document or evidence. The report should also give a detailed account of the incidents by emphasizing the discrepancies in the statements of the witnesses. It should be a well-written document that focuses on the circumstances of the incident, statements of the witnesses, photographs of the crime scene, reference materials leading to the evidence, schematic drawings of the computer system, and the network forensic analysis report. The conclusions of the investigation report should be based on facts and not the opinions of the investigators. An investigator should draft the documentation by considering that the defense team will also scrutinize it.

Aspects of a good investigation report include the following: ✓ It should accurately define the details of an incident. ✓ It should convey all necessary information in a concise manner. ✓ It should be technically sound and understandable to the target audience. ✓ It should be structured in a logical manner so that information can be easily located. ✓ It should be created in a timely manner. ✓ It should be able to withstand legal inspection. ✓ It should include conclusions that can be completely reproduced by a third-party. ✓ It should try to answer questions raised during a judicial trial. ✓ It should provide valid conclusions, opinions, and recommendations supported by figures and facts. ✓ It should adhere to local laws to be admissible in court.

---

Forensics Investigation Report Template

A forensic investigation report template contains the following:

Executive Summary

• Case number

• Names and social security numbers, number of authors, investigators...

• purpose of investigation

• etc

Investigation objectives

Details of the incident

• Date and time the incident occured

• Date and time the incident was reported

• Details of the person or persons reporting the incident

Investigation Process

• Date and time the investigation was assinged

• Allotted investigators

• Nature of the claim

---

Testifying as an Expert Witness

As the attorney, prosecutors, and other panels present in a court of law may be unaware of the technical knowledge of the crime, evidence, and losses, the investigators should approach authorized personnel who could appear in the court as an expert witness to affirm the accuracy of the process and the data. An expert witness must consider certain factors while testifying in the court discussed in the further text.

They should gather sufficient information on standard procedures during a trial and must never query their attorney in this regard. Before the expert witness testifies in court, the attorney first introduces them to the court with high regard and discloses the expert’s credentials and accomplishments to establish credibility with the jury. However, the opposing counsel may try to challenge or question the expert’s reputation by further revealing the expert’s past failures relevant to the case, if any. The attorney leads the expert witness through the evidence and explains the latter’s role concerning the evidence such that it is comprehensible to the jury, audience, and the opposing counsel. A cross-examination by the opposing counsel follows, who then questions the expert witness on their description of the evidence and the methods they followed while collecting and analyzing the evidence.