Digital Forensic Investigation Project Plan

Digital Forensic Investigation Project Plan

Forensic investigation processes are aided to a large extent by the nature of computer operations where every keystroke in the keyboard leaves a digital footprint. This Investigative project plan contains the requisite steps in performing an investigation including designing interview questions, determining resources needed for the investigation, and a general outline of the sequence of activities and processes.

Interview Protocols and Documentation Needed For Forensic Investigation

Relevant Forms

The choice of documents will vary at every step of the investigation but each will be valuable in serving as an authentic record and evidence of compliance with legal procedures and expectations, (Casey, 2011).

Search and Seizure Evidence Log

It will include brief descriptions of the items recovered from the crime scene, (Connor, 2017). These will include the two computers (and related accessories such as hard drives) as well as the thumb drive. Other important details to note include:

  • Time and date of investigation
  • List of parties involved in the investigation
  • Overview of the whole investigation in form of a timeline

Form Making Official Request for Lab Examination

This form will contain the keywords relevant to computer analysts while conducting their analysis.

Windows Forensic Checklist

The checklist identifies the examiner and the incident and the relevant occurrence dates, (“Windows forensic analysis toolkit,” 2014). It will also contain basic analysis steps and objectives for the analysis.

 Media Analysis Worksheet

This form will be key in tracking the media analysis process and taking note of the extent to which it supports the body of evidence.

Lab Evidence Log

It will include brief descriptions of the evidence, condition of the evidence, and time of arrival, details of the investigator such as name and signature. Other important details from the log include information about the analyst and the date and time of analysis.

Collection Log

It entails information gleaned from the digital forensic analysis such as data checksums and graphical and video evidence obtained from the computer storage devices. It should also contain the relevant timestamps and the investigator’s digital signature.

Other Legal Forms

The legal authority needed to perform forensic analysis on the evidence includes a search warrant and a consent form, (Warnken, 2010). These give the forensic analyst the legal backing to do their work. Research prescribes a controlled laboratory environment when analyzing digital storage devices and other complex data analysis procedures. Care has to be taken so that the investigation remains within the confines outlined in the search warrant and that conflicts regarding legal authority are resolved in consultation with the prosecutor.

Meeting Agenda

The following agenda items will guide the meeting with the investigative team:

  • Agreeing on the ground rules for the investigation
  • Review of the case
  • Assigning Responsibility and selection of teams.
  • Outlining important details about the case
  • O.B

Key Questions about the Case.

  1. What criminal activities did the suspects, in this case, engage in?
  2. How long have the suspects been engaging in criminal activity?
  3. How many suspects are we currently considering?
  4. Are any of the suspects currently in custody for interrogation?
  5. Do we have any reliable witnesses?

Investigative Timeline

The Investigative Timeline is outlined in Table 1

Identify Tools and Software Needed For the Investigation

There are necessary tools that will be required to appropriately handle the already gathered digital evidence.

A Cross-Drive Analysis System

Cross-drive analysis is a technique used in forensics to correlate information found from multiple storage devices. The system which typically comprises a pop-up screen and a rolled-up keyboard (Cohen, 2008), is useful in examining original data files on storage devices. The system also reveals any encryption procedures performed on the data as well as restoring deleted, protected, or hidden files Sayakkara et al. (2020) opine that attempts at hiding evidence can be revealed by the presence of encryption tools such as TrueCrypt on a computer’s hard drive. This is important in determining what additional software the investigator will need.

FTK Imager

This is a data preview and imaging tool that is useful in data extraction without severe alterations to the original data. It is useful in creating forensic images, generating harsh reports, and managing read-only data, (FTK® Imager 4.2.0, n.d.).

Data Recovery Tools

The malicious intent of criminal suspects can be revealed by restoring previously deleted files. Data recovery programs will therefore be very important tools to the investigator. Additionally, file viewing software such as Guidance Software’s EnCase will also be necessary to open and read the recovered data that will be in digital formats such as .docx, .xlsx, .gif, .png, .pdf, etc. A network cable may also be needed for data recovery with minimal damage to the hard drives. Another important tool in data recovery is the forensic disk controller which allows the investigator to read-only access to the hard drive and the thumb drive with minimal risk of data loss.

License Keys

Most forensic software prevents the use of unlicensed copies by using USB tokens. License keys will therefore be needed to run this software.

Digital Camera

This is important for making a record of the evidence in form of pictures and to indicate whether evidence has been tampered with or not. Photos are especially crucial when dealing with server evidence as they may be the only record once the investigator logs out.

Human Resource

A special team is required to effectively attend to the investigative process including the lead investigator, the prosecutor, forensic analyst, and an examiner. The whole investigation is managed by the lead investigator to make sure that processes such as data collection, time management, critical decision making, and productivity of the overall team productivity are achieved. The prosecutor helps with the investigation process and coordinates the court proceedings aspects of the case.

Budget for the Investigation

A summary of the project budget is shown in Table 2

Plan for Conducting the Investigation

The following steps will be followed during the investigation:

Define the Best Method

This will involve choosing the best method for processing the digital data obtained from the two computers and thumb drive. I will fill the “request for assistance” form in case of any limitations or deficiencies in terms of training, experience, equipment, etc., (Carrier & Spafford, 2004).

Chain of Custody

It will provide a record of the logical sequence of events including custody, handling & control, analysis process, and status of physical evidence in the case. Table 3 indicates a sample Chain of Custody Form for this case. A case may be dismissed on grounds of inadmissibility if a link (step) in the chain is broken making the quality of evidence to be in doubt. The record will contain details of persons who handle the evidence, reasons for evidence collection as well as the date and time of evidence collection. In this way, it will serve as a demonstration to the court that the evidence was not tampered with (Blokdyk, 2020).

As an examiner, in this case, the chain of custody will be important in preserving evidence integrity by preventing its contamination. Critical links on the chain of custody will be as follows.

  1. Collection of Data: It will involve evidence identification, data acquisition, recording, and labeling.
  2. Examination: It will involve documenting the chain of custody information including the forensic processes done. Pictures and screenshots will be taken as graphical records.
  3. Analysis Process: Methods and techniques founded in law will be applied to the evidence to derive useful information pertinent to the case.
  4. Reporting: This will be an overall documentation process indicating statements on the chain of custody, tools used in the examination, description of analysis and data source, emerging issues & vulnerabilities, and finally recommendations for additional forensic measures if any.

I will make the below considerations regarding the chain of custody.

  • Ensure not to work with the original evidence but instead make a full copy for forensic analysis. This way I will still have the original in case of errors or for making comparisons.
  • I will ensure my storage device is devoid of malware when acquiring the evidence to prevent it from being compromised.
  • I will document information arising from the examination that is beyond the scope of current legal authority to enrich the case agent’s investigation and use it for future reference.

Case File Preparation

The progress of the case will be tracked by documenting all important details in the case file. One such important detail to remember to ensure the “Official Request for Laboratory Examination.”  The form is filled by submitting the office. This will be useful at the forensic analysis stage when filling in keywords. (Carrier & Spafford, 2004).

Media Analysis Worksheet

This will function as the progress report for the media analysis process.

Tagging Procedures

The analysis will involve disassembling the computer to access components such as the hard drive. When doing so, care will be taken to tag the hard drive separately with descriptions indicating details such as chain of custody, serial number, model number, case number, machine number, suspect name, etc. (Agarwal, Gupta, Gupta, & Gupta, 2011). Details of the disassembly will be included in the case file.

Analysis Directory

This directory will serve as a repository for disk images, keyword files, and any potential pieces of evidence.

Developing a list of Keywords

The list will be created to facilitate easier identification of key content by forensic examiners.

Handling the Computer and Thumb Drive.

The computer clock should be noted and any differences between the clock date and actual date and time zone recorded. To boot the machine from the Encase boot disc, its bios settings should be configured to boot from CD or DVD. According to Casey, (2011) records of the hard drive particulars will be based on condition, capacity, make, and model. Photos of the evidence will be taken to document conditions such as damage.

Media Analysis

An appropriate backup utility such as Oxygen Forensic Suite together with hard drives of a similar interface will be chosen based on the type of media. Records relating data to the source hard drive will be made and Encase Software is used to examine file structures.  Keywords will be recorded as necessary and compressed files decompressed. All relevant executable files will be executed noting all configurations and logs. Records of all executed applications will be kept as well as any valuable data obtained as a result. Findings and analysis will be created and documented in the final Analysis Report together with related forms, signed reports, keyword lists, media analysis worksheets, relevant correspondences, and all other documents.

Managing large quantities of files will be done in coordination with the office of the district attorney including decisions on making printouts. Representative samples of the data will be taken out and included in the case file where the data is overwhelmingly voluminous. Further, the volume of paperwork can be reduced by making hard copies on CDs.


Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). Systematic digital forensic investigation model. International Journal of Computer Science and Security (IJCSS), 5(1), 118-131.

Blokdyk, G. (2020). Chain of custody a complete guide – 2020 edition. 5starcooks.

Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers and the internet. Academic Press.

Carrier, B., & Spafford, E. H. (2004). An event-based digital forensic investigation framework. In Digital forensic research workshop (pp. 11-13).

Cohen, M. (2008). PyFlag – An advanced network forensic framework. Digital Investigation5, S112-S120.

Connor, P. (2017). Entry, search and seizure. Blackstone’s Police Investigators’ Workbook 2018.

FTK® Imager 4.2.0. (n.d.). Retrieved from AccessData:

Sayakkara, A., Le-Khac, N., & Scanlon, M. (2020). EMvidence: A framework for digital evidence acquisition from IoT devices through electromagnetic side-channel analysis. Forensic Science International: Digital Investigation32, 300907.

Soltani, S., & Seno, S. A. (2019). A formal model for event reconstruction in digital forensic investigation. Digital Investigation30, 148-160.

Warnken, B. L. (2010). Four ways to make valid Fourth Amendment intrusions into houses: Search warrant, arrest warrant, exigency, & consent. SSRN Electronic Journal.

Windows forensic analysis toolkit. (2014). Windows Forensic Analysis Toolkit, i-iii.

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
The price is based on these factors:
Academic level
Number of pages
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more