Forensic investigation processes are aided to a large extent by the nature of computer operations where every keystroke in the keyboard leaves a digital footprint. This Investigative project plan contains the requisite steps in performing an investigation including designing interview questions, determining resources needed for the investigation, and a general outline of the sequence of activities and processes.
The choice of documents will vary at every step of the investigation but each will be valuable in serving as an authentic record and evidence of compliance with legal procedures and expectations, (Casey, 2011).
It will include brief descriptions of the items recovered from the crime scene, (Connor, 2017). These will include the two computers (and related accessories such as hard drives) as well as the thumb drive. Other important details to note include:
This form will contain the keywords relevant to computer analysts while conducting their analysis.
The checklist identifies the examiner and the incident and the relevant occurrence dates, (“Windows forensic analysis toolkit,” 2014). It will also contain basic analysis steps and objectives for the analysis.
This form will be key in tracking the media analysis process and taking note of the extent to which it supports the body of evidence.
It will include brief descriptions of the evidence, condition of the evidence, and time of arrival, details of the investigator such as name and signature. Other important details from the log include information about the analyst and the date and time of analysis.
It entails information gleaned from the digital forensic analysis such as data checksums and graphical and video evidence obtained from the computer storage devices. It should also contain the relevant timestamps and the investigator’s digital signature.
The legal authority needed to perform forensic analysis on the evidence includes a search warrant and a consent form, (Warnken, 2010). These give the forensic analyst the legal backing to do their work. Research prescribes a controlled laboratory environment when analyzing digital storage devices and other complex data analysis procedures. Care has to be taken so that the investigation remains within the confines outlined in the search warrant and that conflicts regarding legal authority are resolved in consultation with the prosecutor.
The following agenda items will guide the meeting with the investigative team:
The Investigative Timeline is outlined in Table 1
There are necessary tools that will be required to appropriately handle the already gathered digital evidence.
Cross-drive analysis is a technique used in forensics to correlate information found from multiple storage devices. The system which typically comprises a pop-up screen and a rolled-up keyboard (Cohen, 2008), is useful in examining original data files on storage devices. The system also reveals any encryption procedures performed on the data as well as restoring deleted, protected, or hidden files Sayakkara et al. (2020) opine that attempts at hiding evidence can be revealed by the presence of encryption tools such as TrueCrypt on a computer’s hard drive. This is important in determining what additional software the investigator will need.
This is a data preview and imaging tool that is useful in data extraction without severe alterations to the original data. It is useful in creating forensic images, generating harsh reports, and managing read-only data, (FTK® Imager 4.2.0, n.d.).
The malicious intent of criminal suspects can be revealed by restoring previously deleted files. Data recovery programs will therefore be very important tools to the investigator. Additionally, file viewing software such as Guidance Software’s EnCase will also be necessary to open and read the recovered data that will be in digital formats such as .docx, .xlsx, .gif, .png, .pdf, etc. A network cable may also be needed for data recovery with minimal damage to the hard drives. Another important tool in data recovery is the forensic disk controller which allows the investigator to read-only access to the hard drive and the thumb drive with minimal risk of data loss.
Most forensic software prevents the use of unlicensed copies by using USB tokens. License keys will therefore be needed to run this software.
This is important for making a record of the evidence in form of pictures and to indicate whether evidence has been tampered with or not. Photos are especially crucial when dealing with server evidence as they may be the only record once the investigator logs out.
A special team is required to effectively attend to the investigative process including the lead investigator, the prosecutor, forensic analyst, and an examiner. The whole investigation is managed by the lead investigator to make sure that processes such as data collection, time management, critical decision making, and productivity of the overall team productivity are achieved. The prosecutor helps with the investigation process and coordinates the court proceedings aspects of the case.
A summary of the project budget is shown in Table 2
The following steps will be followed during the investigation:
This will involve choosing the best method for processing the digital data obtained from the two computers and thumb drive. I will fill the “request for assistance” form in case of any limitations or deficiencies in terms of training, experience, equipment, etc., (Carrier & Spafford, 2004).
It will provide a record of the logical sequence of events including custody, handling & control, analysis process, and status of physical evidence in the case. Table 3 indicates a sample Chain of Custody Form for this case. A case may be dismissed on grounds of inadmissibility if a link (step) in the chain is broken making the quality of evidence to be in doubt. The record will contain details of persons who handle the evidence, reasons for evidence collection as well as the date and time of evidence collection. In this way, it will serve as a demonstration to the court that the evidence was not tampered with (Blokdyk, 2020).
As an examiner, in this case, the chain of custody will be important in preserving evidence integrity by preventing its contamination. Critical links on the chain of custody will be as follows.
I will make the below considerations regarding the chain of custody.
The progress of the case will be tracked by documenting all important details in the case file. One such important detail to remember to ensure the “Official Request for Laboratory Examination.” The form is filled by submitting the office. This will be useful at the forensic analysis stage when filling in keywords. (Carrier & Spafford, 2004).
This will function as the progress report for the media analysis process.
The analysis will involve disassembling the computer to access components such as the hard drive. When doing so, care will be taken to tag the hard drive separately with descriptions indicating details such as chain of custody, serial number, model number, case number, machine number, suspect name, etc. (Agarwal, Gupta, Gupta, & Gupta, 2011). Details of the disassembly will be included in the case file.
This directory will serve as a repository for disk images, keyword files, and any potential pieces of evidence.
The list will be created to facilitate easier identification of key content by forensic examiners.
The computer clock should be noted and any differences between the clock date and actual date and time zone recorded. To boot the machine from the Encase boot disc, its bios settings should be configured to boot from CD or DVD. According to Casey, (2011) records of the hard drive particulars will be based on condition, capacity, make, and model. Photos of the evidence will be taken to document conditions such as damage.
An appropriate backup utility such as Oxygen Forensic Suite together with hard drives of a similar interface will be chosen based on the type of media. Records relating data to the source hard drive will be made and Encase Software is used to examine file structures. Keywords will be recorded as necessary and compressed files decompressed. All relevant executable files will be executed noting all configurations and logs. Records of all executed applications will be kept as well as any valuable data obtained as a result. Findings and analysis will be created and documented in the final Analysis Report together with related forms, signed reports, keyword lists, media analysis worksheets, relevant correspondences, and all other documents.
Managing large quantities of files will be done in coordination with the office of the district attorney including decisions on making printouts. Representative samples of the data will be taken out and included in the case file where the data is overwhelmingly voluminous. Further, the volume of paperwork can be reduced by making hard copies on CDs.
Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). Systematic digital forensic investigation model. International Journal of Computer Science and Security (IJCSS), 5(1), 118-131.
Blokdyk, G. (2020). Chain of custody a complete guide – 2020 edition. 5starcooks.
Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers and the internet. Academic Press.
Carrier, B., & Spafford, E. H. (2004). An event-based digital forensic investigation framework. In Digital forensic research workshop (pp. 11-13).
Cohen, M. (2008). PyFlag – An advanced network forensic framework. Digital Investigation, 5, S112-S120. https://doi.org/10.1016/j.diin.2008.05.016.
Connor, P. (2017). Entry, search and seizure. Blackstone’s Police Investigators’ Workbook 2018. https://doi.org/10.1093/law/9780198806387.003.0003
FTK® Imager 4.2.0. (n.d.). Retrieved from AccessData: http://marketing.accessdata.com/ftkimager4.2.0
Sayakkara, A., Le-Khac, N., & Scanlon, M. (2020). EMvidence: A framework for digital evidence acquisition from IoT devices through electromagnetic side-channel analysis. Forensic Science International: Digital Investigation, 32, 300907. https://doi.org/10.1016/j.fsidi.2020.300907
Soltani, S., & Seno, S. A. (2019). A formal model for event reconstruction in digital forensic investigation. Digital Investigation, 30, 148-160. https://doi.org/10.1016/j.diin.2019.07.006
Warnken, B. L. (2010). Four ways to make valid Fourth Amendment intrusions into houses: Search warrant, arrest warrant, exigency, & consent. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.1567623
Windows forensic analysis toolkit. (2014). Windows Forensic Analysis Toolkit, i-iii. https://doi.org/10.1016/b978-0-12-417157-2.00010-2
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more