Investigation Consideration

The investigation process involves several steps that are taken to perform an inquiry to make a proper conclusion. An investigation is defined as a process of analyzing a crime, statement, problem to discover the truth. Over the past years, cybercriminals have adopted more sophisticated approaches making digital forensics investigation (DFI) even more complicated. Since digital devices are becoming more and more complicated, legal investigations need to have some digital evidence. Therefore, digital forensic investigation is one of the most robust and expanding fields that helps in the investigatory process in an organization (Nikkel, 2006) With the changing dynamics in the business world and increased cases of cybercrimes, the criminal justices sector needs a person possessing a special skill set leveraged from different fields including criminal justices filed and information technology (McFarland, 2016). The digital forensic investigation involves the process of interviewing, searching, collecting, reporting, and preserving evidence.

The field of digital forensic investigation has evolved from an ad-hoc stage to a structured technique. Currently, digital forensic investigation has been formalized as a series of processes that help in gathering and reporting of digital evidence. Therefore, DFI is a vital aspect in the successful prosecution of cybercriminals and is also helpful in organizations. Particularly, DFI is widely used to track suspicious online activities, mitigate nation-state attacks, and protecting operations in the defense of public safety, and industrial base (Jarrett, Bailie, Hagen, & Judish, 2009).

Preliminary Setup for the DFI

To carry out a successful DFI, it is essential to develop a plan which will be relevant to that case, especially that relates to digital media. Without a well-designed plan, anything can likely be attained which could not be relevant in the court of law. Therefore, being able to obtain a general concept of the 5Ws (what, who, where, when, and why) can help to set up a plan regarding the attack. This section comprises a summary of a study involving a thumb drive and two computers providing an analytical approach from the perspective of an electronic forensic engineer. To commence the forensic activities, the forensic investigator will need to make a request and present the need for such services. It worth noting that the form does not need to have a specific format as the format is likely to vary from one place to another. However, the forms have one thing in common which is the data.

Legal Forms

Being involved in the digital forensic investigation comes with numerous challenges before, during, and after the technical activities of retrieving the data. Therefore, it is imperative to ensure that handling digital forensic follows all legitimate procedures. Digital forensic investigators are therefore needed to ensure that all legal forms are accurate before beginning any step of the investigation. In a situation where legal forms are considered; it provides an opportunity for the defense attorney to challenge the legitimacy of the case. Legal limitations are normally put in place to protect people against illegitimate seizer and search. Specifically, the 4^th Amendments states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” (U.S. Const. amend. IV). Before we start with our investigation, we intend to obtain specific legal forms before taking possession of evidence from a thumb drive and two computers.

It is crucial for holders of potential evidence to be given authorization whether in written or hardware format. Besides the approval of verification, it is plausible to provide reasonable suspicion for scanning digital devices and provide a discrete summary regarding the data to be recovered. Upon detection of the cause in the data or device, the next phase would be obtaining formal authorization, which will involve the Application of a Search Warrant. Fundamentally, a search warrant is a document that is granted by a court of law giving an agent the right to lawfully look for evidence in a certain location (Judish,2002). However, depending on the possible cause provided by the court, the individual owning the property or being examined is not coerced to grant permission.

Chain of custody is the other legal form that needs to be obtained. Chain of Custody is a legal document that is used to verify that the gathered evidence is handled securely. The form also develops a paper trail indicating people who have access to evidence and outline the procedure used to keep them safe. Following the chain of custody, the process helps to keep authenticity while ensuring that it was not altered (Ryder,2002).

A subpoena is the other document that needs to be kept issued and signed by an attorney. The form requests the recipient to appear before the court or produce some specific devices or documents. Failure to follow the subpoena can lead to criminal charges (Kenton, 2018).

The Interview Questions

Below is a form to be presented through the court to grant access to media that keep data for investigation. Below are some of the questions that would be asked during the digital forensic investigations

Authorization of information

This requires us to obtain adequate authorization before performing any forensic examination of the digital devices. Before authorization is obtained, it is impossible to proceed with the investigation of the two computers and a thumb drive. Getting the authorization can be obtained by giving consent as much as the search warrant provides clear details of what is being searched. In some cases, it is challenging especially when dealing with huge organizations when the digital device and the organization is not comfortable performing an investigation on the device.

Due to the sensitivity of the case at hand, it was decided that by the leader of the DFI that all computer devices should be seized during the time that the search warrant was executed. The leading investigator is a senor cybercrime agent who knew the specific verbosity required to support the affidavit to allow the investigating team to conduct a thorough search on both computers (US District Court, 2008). The search warrant indicated that the intention was to remove the devices from the site and bring them to a secure place.

Resources Required for the Investigation

The investigation process will require some resources for it to be successful. Essentially, an inquiry will involve the use of resources, evidence, and techniques within the contemporary forensic sector. The techniques used in digital forensic provide crucial details for the court to turn into facts that can be used for prosecution. Additionally, the methods provide the investigator with the right to identify the security problem that an attacker can use to hack the system as well as acknowledge the approaches used by the hacker to exploit victims of sexual assault. Some of the forensic tools that can be used include system analysis tools, network forensic tools, mobile devices analysis tools, database forensic tools, and internet analysis tools.

People

The number of people needed for this forensic investigation will be restricted due to the scope of the investigation. A complete investigation team will need to be formed. Besides the investigation team, other key stakeholders need to be involved (Abdalla & Hazem, 2007). These stakeholders include:

District attorney to provide a search warrant
Investigation team to perform the investigation
Cybercrime division to help discover the cause.

Scheduling and Budgeting

Budgeting and scheduling for an activity such as this is a sophisticated process. Numerous factors need to be put into consideration when creating a budget. Additionally, it is quite challenging to predetermine the exact cost of the process until it is fully completed. It would also be critical to obtaining a specific scope of the project. The total cost of the project may range anywhere from a few thousand dollars to over $100,000. The cost differs significantly depending on the complexity of the investigation. The cost of the investigation is also be determined by the results needed to be expedited. The costs of the investigation can be determined using two methods: flat fee price or time and materials. It is more likely that a general analysis of one digital device may take approximately 15-30 hours of work ranging between $200-$400 per hour (Mikalcki, n.d).

In a digital forensic investigation, a well-defined schedule is vital. Essentially, scheduling and costs estimation have a significant effect since certain activities need more supervision hence need a huge amount. Since a digital forensic investigation is a vital process, it would be plausible not to maintain a specific period. When determining the most appropriate time frame, several factors are considered. One of the most important factors is the complexity of the encryption of data we are attempting to gain access to. The backlog of the work we currently have is the other factor that needs to be considered when determining the time frame. According to research, law enforcement agents are being overwhelmed with work related to digital forensic investigation. Under normal circumstances, the investigation process may take 6 to 8 months (McNeila, 2018). The table below shows the schedule for completing the investigation process.

Keywords

To expedite the process of investigation, it would be critical to developing a list of search keywords. Fundamentally, the keywords will be developed by the team in the initial meeting during the discussion of the search warrant. However, it is anticipated that the number of keywords may expand during the investigation process (Sammons,2012). To utilize the keyword list, a physical or logical search can be performed on the generated data. The physical keyword search can be used to the unallocated space in the drive while a logical search can be performed with the allocated files (Widup,2014). Some of the keywords that would be used during the investigation include organization, purge, USB, email, rename, and copy. In digital forensic investigations, keyword searching is considered as a primary tool. Keywords that are chosen poorly might omit crucial details or may provide unrelated results.

Management Plan

The goals of DFI helps to determine the boundaries and scope from which the investigation is done. These goals include providing assistance to the prosecution, maintaining the integrity of the apprehended digital evidence, increasing the ability of the DFI to serve as a witness in the court, and using the investigation ad training or educational resource for the organization and the entire community (Nelson, Philips, & Steuart, 2019). The goals of digital forensic investigation include:

The investigator will act as the prosecutor to help in the goals of the presenting case.
The investor will in charge of preserving the integrity of seized evidence.
The investigator will perform their activities in a planned and controlled way while identifying evidence which either proves or disapproves the accusations
The forensic investigator will preserve accurate accountability of all the evidence while making sure that the information is corrected document.
The investigator will ensure that the report is issued based on factual evidence and will ensure zero bias.

Acquisition and Investigation Process

The most essential part of digital forensic investigation is the acquisition of evidence. During the acquisition of evidence, the integrity of data must be maintained, otherwise, it must be excluded in the court of law. Moreover, documentation is also critical at this stage since it supports the investigation process as well as evidence acquisition (Noak, Grier, & Gonzales, 2018). Documentation also demonstrates that proper administrative and technical processes were used during the investigation. According to the National Institute of Standards and Technology (NIST) outlines four major phases of DFI including a collection of data, examination, analysis, and reporting.

Data collection

The data collection phase involves collecting and discovering the data that would be crucial for the investigation. The process may involve pulling together software and hardware files that may contain relevant information for the investigation. Gathering of information may also require the removal of digital devices including the computers that need to be properly recorded, identified, and documented as part of the evidence (Nelson, Phillips, & Steuart, 2019). According to the National Institute of Justice, some specific guidelines need to be followed during the collection of data. These policies include:

Secure evidence following the National Institute of Justice
Record the software and hardware configuration of the system of the examiner.
Analyze the operations of the investigator’s system to comprise the software and the hardware
Undo the computer to be scrutinized to allow physical access to various storage devices.
Determine the storage devices that should be purchased
Retrieve information from the system of the suspect using controlled boots
Shut down the system

Examination of data

The examination is the other phase. The examination of evidence involved a thorough and systematic search of digital evidence. Before the examination of evidence, the objects and goals must be established first. Identification of the goals will help to guide the process of examination. The results of the investigation may comprise of the gathered data containing the keywords within the log files. The use of timestamps can help disclose any pattern during the examination of evidence. There are three major steps in the examination of evidence including preparation, extraction, and analysis of extracted data. During preparation, the digital forensic investigator prepares directories for evidence files to be extracted, restored, and examined. During the extraction process, two methods can be used (Noak, Grier, & Gonzales, 2018). Depending on the file systems a logical or physical extraction can be done. Finally, analysis is conducted in a time-frame.

Analysis of Data

The analysis stage is used to determine a conclusion based on the digital evidence that was needed.

Reporting

After the examination of evidence, the reporting stage is the major item necessary for either organizational findings or court proceedings. The reporting phase helps to explain how the investigation was conducted and the logical path that was used during the investigation. This stage may involve some calculations while also providing error and uncertainty analysis that either disprove or support the goals of the investigation. More importantly, reporting is regarded as the most significant part of the whole investigation process since the results can be communicated in the report (Kaur, 2012). Further, during reporting, any absence of evidence or any discovered evidence is reported. In the case of an organization, the report is issued to the sponsor of the investigation.

Recommendations

The first cybersecurity assessment of the organization was attained at the beginning of the DFI. The process was attained to offer mitigation to additional risks following a cybercrime that needed digital forensic investigation. There are several recommendations given to the client to resolve the cybersecurity risks. One of the recommendations that were given is to utilize multi-factor authorization. The client should ensure the management of future updates while the management of information systems should be done remotely. Therefore, it is recommended that an MFA plan should be created and continually kept by the organization. The other recommendation is to redesign the network by using a multi-zone architecture. As the organization continues to expand it is plausible to implement a multi-zone architecture. While using a multi-zone architecture, network traffic is limited to the most restrictive methodology that contents the business use.

Conclusion

With technological advancements, the process of investigation is becoming more and more profound. In the modern-day business environment, it is become very common to retrieve data concerning a crime scene since it is important to present pieces of evidence in court. To preserve the evidence for law enforcement purposes, it is significant to acknowledge the timing and sensitivity. Therefore, law enforcement agents should collaborate with digital forensic agents to improve their working techniques by using advancement in technology.

References

Abdalla, S., Hazem, S., & Hashem, S. (2007). Teams Responsibilities for Digital Forensic Process.

Allen, T. A. (2019, February 20). Computer Forensics Tool Testing Program (CFTT). Retrieved from https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt.

Cornell Law School. (n.d.). Fourth Amendment. Retrieved from https://www.law.cornell.edu/wex/fourth_amendment.

Courcier, S. de. (2016, May 23). Beyond Keywords: Is keyword search becoming obsolete in the new age of forensic digital investigation? Retrieved from https://articles.forensicfocus.com/2016/03/11/beyond-keywords-is-keyword-search-becoming-obsolete-in-the-new-age-of-forensic-digital-investigation/.

Grance, T., Chevalier, S., Scarfone, K. K., & Dang, H. (2006). Guide to integrating forensic techniques into the incident response (No. Special Publication (NIST SP)-800-86).

Jarrett, H. M., Bailie, M. W., Hagen, E., & Judish, N. (2009). Searching and seizing computers and obtaining electronic evidence in criminal investigations. US Department of Justice, Computer Crime, and Intellectual Property Section Criminal Division.

Karen, Chevalier, Suzanne, Tim, Dang, & Hung. (2006, September 1). Guide to integrating forensic techniques into incident response. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-86/final.

McFarland, R. (2016). How to start a computer forensics business: A small business success guide – version 2 [2]. Retrieved from https://www.amazon.com/How-start-Computer-Forensics-Business-ebook/dp/B01DB1SN44?SubscriptionId=AKIAILSHYYTFIVPWUY6Q&tag=duckduckgo-d-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B01DB1SN44

McNeila, T. (2018, December 10). Law enforcement overwhelmed by digital data. Retrieved from https://www.cellebrite.com/en/blog/law-enforcement-overwhelmed-by-digital-data/.

Mikalacki, B. (n.d.). How much does digital forensic services cost? Retrieved from https://www.vestigeltd.com/thought-leadership/digital-forensic-services-cost-guide-vestige-digital-investigations/

National Institute of Justice. (n.d.). Digital evidence and forensics. Retrieved from https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx.

Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to computer forensics and investigations. Cengage learning.

NIJ. (2004, April). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Retrieved October 3, 2019, from https://www.ncjrs.gov/pdffiles1/nij/199408.pdf.

Nikkel, B. J. (2006, May). The role of digital forensics within a corporate organization. In May 2006, IBSA Conference, Vienna.

Rogers, M. K., Goldman, J., Mislan, R., Wedge, T., & Debrota, S. (2006). Computer forensics field triage process model. Journal of Digital Forensics, Security and Law, 1(2), 2.

Ryder, K. (2002). Computer Forensics-We’ve Had an Incident, Who Do We Get to Investigate. SANS Institute, GSEC Certification Assignment Version, 1.

Sammons, J. (2012). The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Waltham, MA: Syngress. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=nlebk&AN=454069&site=eds-live&scope=site

US District Court. (2008, June 11). Affidavit for Search Warrant. Retrieved from https://www.justice.gov/archive/amerithrax/docs/08-431-m-01.pdf.

Widup, S. (2014). Computer forensics and digital investigation with EnCase Forensic v7. McGraw-Hill Education Group.

Appendix A

Search Warrant

Appendix B

Chain of Custody

Appendix C

Subpoena

Forensic laboratory examination request

Appendix D

Investigation Consideration

Pssst… we can write an original essay just for you.

Remember! This is just a sample.

Save time and get your custom paper from our expert writers