Chapter 6 : Conducting Digital Investigations Flashcards
What the use of forensics trusted methodologies and techniques ensure
That the analysis, interpretation, and reporting of evidence are reliable, objective, and transparent
forensic computing
The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.
The most common steps for conducting a complete and competent
digital investigation
- *Preparation
- *Survey/Identification
- *Preservation
- *Examination and Analysis
- *Presentation
Preparation
Generating a plan of action to conduct an effective digital investigation, and obtaining supporting resources and materials
Survey/Identification:
Finding potential sources of digital evidence (e.g., at a
crime scene, within an organization, or on the Internet)
Preservation:
Preventing changes of in situ digital evidence, including isolating the system on the network, securing relevant log files, and collecting volatile data that would be lost when the system is turned off. This step includes subsequent collection or acquisition
Examination and Analysis
Searching for and interpreting trace evidence.
Some process models use the terms examination and analysis interchangeably
Presentation
Reporting of findings in a manner which satisfies the
context of the investigation, whether it be legal, corporate, military, or any other
Distinction between examination and Analysis in forensic
**forensic examination is the process of extracting and
viewing information from the evidence, and making it available for analysis.
**forensic analysis is the application of the scientific method and
critical thinking to address the fundamental questions in an investigation:
who, what, where, when, how, and why
What is the end goal of most digital
investigation
To identify a person who is responsible and therefore the digital investigation needs to be tied to a physical investigation.
Digital Crime scene preservation
Preventing changes in potential digital evidence, including network isolation, collecting volatile
data, and copying entire digital environment
Accusation or Incident Alert
Every process has a starting point—a place, event, or for lack of a better term, a “shot from a starting gun” that signals that the race has begun
What Computer security professionals should obtain
instructions and written authorization
from their attorneys before gathering digital evidence relating to an investigation within their organization.
Why digital investigators should establish thresholds
in order to prioritize cases and make decisions about how to allocate resources
What threshold considerations include
the likelihood of missing exculpatory evidence and seriousness of the offense
What threshold considerations disctates
When the considerations are not met, no further action is required. But when they are met, Continue to apply investigative resources based on the merits of evidence examined to this point with priority based on initial available information
The history model
The history model is then related to
the general scientific method of observation, hypothesis formulation, and predicting
and testing, by casting the digital examination as a process of formulating
and testing hypotheses about previous states and events.
the scientific method
is applied to each step of a digital investigation (preparation, survey, preservation, examination,
and analysis), which can guide a digital investigator through almost any investigative situation,
Steps of the the scientific method
1-Observation:One or more events will occur that will initiate your investigation. These events will include several observations that will represent the initial facts of the incident. Digital investigators will proceed
from these facts to form their investigation.
2-Hypothesis: Based on the current facts of the incident, digital investigators will form a theory of what may have occurred
3-Prediction: Based on the hypothesis, digital investigators will then predict where the artifacts related to that event may be located
4 -Experimentation/Testing: Digital investigators will then analyze the available evidence to test the hypothesis, looking for the presence of the predicted artifacts.
5- Conclusion: Digital investigators will then form a conclusion based upon the results of their findings
