Investigation Project Plan

Table of Contents……………………………………………………………………………Page

Purpose……………………………………………………………………………………………3

Introduction………………………………………………………………….……………..…….3

Meetings and Agenda……………………………………………………………………………..3

Required Forensic Tools and Techniques…………………………………………….……….…4

Checklist of Forensic Equipment and Resources…………………………………….………….5

Legal Information………………………………………………………….……………………6

Investigative Process………………………………………………………………….…………6

Interview Forms and Questions……………………………………………………………….11

Investigative Timeline………………………………………………………………….………12

Investigative Budget………………………………………………………………………….…13

Conclusion………………………………………………………………………………………14

References………………………………………………………………………………………16

 

 

Investigation Project Plan

Purpose

The main objective of this digital forensic investigation plan is to determine how a cybercrime occurred for the company. Various forensic steps will be involved for effective investigation and find the reason for the activity occurrence. Meetings will be held with various parties in the company to obtain key information that will be in investigation. Interviews with key parties such as IT directors, coworkers, and witnesses to further assess the situation and events that led to an action happening. The investigators will ensure forensic tools necessary for the investigations are in place and set the process in motion.

Introduction

Investigation entails searching for facts particularly those that are hidden in a complex situation to determine why and how something occurred. In the cyber domain, an investigation is essential in gathering the required data in a complicated matter which can be done digitally, verbally, or physically. The cyber domain is experiencing high-level criminal activities that require different skills in solving or investigating the crimes committed by attackers. Cybercrime is an illegal activity where a computer, network, and networked devices are involved as weapons to commit a crime (Brush, 2020). On the other hand, digital forensic in the cyber domain is when an investigation and a critical analysis are applied to collecting and preserving evidence from a device that was used to commit a crime for demonstration in court during a hearing.

Meetings and Agenda

The first meeting after the incident will be between the digital forensic investigators and the company management or key people in the company. They include the chief executive officer, IT directors, managers, and supervisors of the affected departments. The main agenda in the meeting will be the top leadership of the company to give a briefing about the crime to the forensic team, give key information about the company network and systems, and outline specific areas that need to be given more attention when the investigation starts. Further, the leadership should give the timeframe they will need the investigation to be completed. The forensic investigators will inform the company of what is needed after the briefings. In this first meeting, the budget for the investigation will be discussed by both sides the company and the investigators. The second meeting will be between the company’s top leadership, the digital forensic investigators, and the witnesses in the case. In the meeting, the witnesses are expected to give specific information regarding the incident because they are the first individual to detect intruder activities. The third meeting will be between the company, the digital forensic investigators, the witnesses, and the coworkers of the intruder. The meeting will be focusing on intruder coworkers to give details on the information accessed, the location of the activity, among the key things that will help for investigation.

Required Forensic Equipment and Techniques

During the investigation process, the investigators, reports, and facts can only be successful when necessary methods and equipment are applied. In a criminal investigation, digital forensic techniques and equipment are essential in the investigation of intruders, stimulation and accessing of events that transpired in cybercrime, and the preservation of evidence obtained during the process. The equipment employed in digital forensic are designed to enable investigators to capture the information technology and cyber image environments. The obtained images are used to determine the way a malicious intruder managed to compromise the system and various actions taken in the compromised system. The procedures enable individuals investigating to find any loopholes in the system which intruders utilized to commit a crime. According to Leo Cyber Security (2017), digital forensic equipment can be grouped into several sets which include Hard Drive and Data capture equipment, File analysis equipment, Internet analysis equipment, Registry and memory analysis Equipment, Email analysis tool, Network forensic analysis tool, Mobile device analysis tool, and Database forensic tools. Other common digital forensic equipment includes X-Ways Forensics, WndowsSCOPE, Wireshark, Cain and Abel, Computer Aided Investigative Environment (CAINE), Computer Online Forensic Evidence Extractor (COFEE), Registry Recon,EnCase, Sleuth Kit, among others (H-11 Digital Forensics, 2018)

Checklist of Forensic Equipment and Resources

There are various steps and resources needed for the effective running of digital forensic investigation.

• First and foremost, the devices should not be turned on or off, attempt to access any file, or run a program. Forensic investigators have appropriate tools and expertise to prevent damage from static electricity and data overwriting.
• Equipment such as relevant media which include PDAs, laptops, hard drives, DVDs, USB drives, cell phones, CDROMs among other relevant media should be secured.
• Automated data destruction and recycling policies that may pertain to media and users should be suspended.
• The list of names, email addresses, and other information about the subjects involved in the case should be compiled.
• Password should be obtained to access password-protected documents or encrypted.
• A chain of custody to be maintained for each piece of original media, showing the place where the media has been, the individual in possession, and the reason to be in possession.
• List of keywords to be used when searching relevant information.

Legal Information

In the digital forensic investigation of the cybercrimes committed, there are various fundamental considerations investigators should observe such as synchronization with the local authority regarding the matter. The local authority in some cases asks for more information regarding the chain of evidence after the case preparation and ready for a court trial. The legal information that the investigators should be aware of is ensuring the scope of the search, checking for any possible matters relating to federal statutes applicable such as the Cable Communications Policy Act (CCPA) and Electronic Communications Privacy Act (ECPA), Privacy Protection Act (PPA), State statutes and local policies and laws such as Digital Millennium Copyright Act, Computer Fraud and Abuse Act, and Federal Wiretap. Digital forensic investigators should consider contacting the legal authorities in the event where the search for evidence cannot be restricted.

Investigation Process

During a digital forensic investigation, dealing with evidence is fragile and volatile and the inappropriate management of the evidence acquired can lead to altering it. Thus, due to the digital evidence fragility and volatility, measures have to be put in place like following protocolsto ensuring that information acquired is not altered during its handling. These proceduresoutline the stages to be monitored when managing digital evidence obtained. For effective management of digital evidence, there are four stages employed in the initial handling of digital evidence which include identification, collection, acquisition, preservation, analysis, and reporting.

• Identification phase: In this phase, initial data is attained about the cybercrime case before collecting digital evidence. Digital forensic investigator in this situation pursues to get answers for questions such as Where did the cybercrime happen? What happened? Who was involved? When did cybercrime happen? And How did cybercrime happen? The responses to these queries will give digital forensic investigators direction on how to continue with the crime. Response to the query “Where did this crime happen?” will tell the investigators how to progress with the case like which departments should be involved. In this stage, digital forensic investigators employ several traditional investigative techniques. For instance, victims, suspects, and witnesses of the crime activity are questioned to collect data and evidence of the cybercrime under investigation. The next stage after identification is collection but before it starts, the investigators have to define the kinds of evidence sought. Digital evidence can be found on digital tools which include computers, routers, cameras, smartphones, external hard drives, tablets, and flash drives.
• Collection phase: the criminal activity should be not restricted to area of the devices involved in the act but it should also include any digital equipment that potentially holds digital evidence, and spans several digital tools, servers, and systems. The crime location should be secured when there is any indication, observation, suspect, or report on criminal activity. The first person to detect the crime should identify and protect the area from contamination and keep volatile evidence by separating the handlers of all digital devices found at the crime scene (Software Engineering Institute, 2016). The individuals separated must not be granted the chance to continueusing the digital tools. The investigators should then search for the area and find the evidence. But before the search of evidence is conducted, the area of crimeshould be recorded. Documentation is required throughout the whole investigation plan. The documentation should comprisecomprehensivedataon the digital tools assembled with the operational state of the device whether it was on, off, standby mode and their physical features such asserial number, model, make, connections, and other markings or damage.
• Acquisition phase: there are different approaches employed when performing acquisition in digital forensic investigation. The approach employed by the investigation team depends on the type of digital tools. If the live acquisition is not needed during the investigation, evidence extraction from the detained digital devices should be performed at the forensic laboratory. While at the forensics laboratory, digital evidence acquiring should be conducted in a manner that preserves the integrity of the evidence. For example, the investigators should ensure that the data is unaltered. To accomplish this, the techniques and tools employed to obtain digital evidence must avoidmodifications to the data (SWGDE, 2018). The techniques and tools employed in the investigation should be valid and reliable. The limitations of thetechniques and tools should be identified and considered before used in the investigation (SWGDE, 2018). In a digital forensic investigation, the detained digital devices are considered the primary source of evidence. The digital forensics investigators should not obtain information from the primary source but from a duplicate made of the data of the devices. A duplicate copy of the data of the digital tools is made before a static acquisition is performed to keep the integrity of digital evidence (UNODC, 2019). When extracting data, two forms of extraction needed which include physical and logical. Logical extraction entails searching for evidence from the area it resides relative to the file system of a computer operating system (SWGDE, 2018). These areas include file systems, encrypted, and password-protected data, unallocated and unused space, and active and deleted file.
• Preservation phase: in the preservation phase, there is the protection of digital evidence acquired from alteration. It is essential to maintain the integrity of digital evidencein every phase of the handling of digital evidence.The digital forensic investigators, the person who detected the act, and other responsible individuals involved in the investigation must show that evidence acquired was not alteredin the identification, collection, and acquisition phase. To show that the integrity of evidence was tampered with, a chain of custody must be observed. In this case, the chain of custody is the process when detectivesmaintain the crime are and evidence in the whole process of the incident. The chainof custody includes knowing about the individualwho gathered the evidence, the place, and the way evidence was gathered, the persons responsible for possession of the evidence, and the time they took possession of evidence. In the chain of custody, thetitles, names, and contact details of investigators and individuals who identified, collected, and obtained the evidence should be in the documentation.
• Analyzing and Reporting phase: after the identification, collection, acquisition, and preservation of evidence from the crime scene, the digital forensic investigation process encompasses analyzing and interpretation of evidence gathered and the reporting of outcomes from the examination process. During the examination stage, evidence collected is extracted from the device for analysis and reconstruction of events. But before the examination of the evidence collected, the forensic investigators must be enlightened of the main purposes of the search, and key information obtained useful for investigation. After investigators have been informed of the necessary information in the case, several forms of examinations are performed in regards to the type of digital evidence sought which includes the file system, application, network, image, video, and media analysis. Documents are examined to ascertain their source, when and where the data was designed, changed, retrieved, copied, or uploaded, and the potential linking of the documents on storage devices. Forinstance, remote storagesuch as cloud-based storage. In a digital forensic investigation, four types of analyses can be performed on a computer which includes ownership and possession analysis, time-frame analysis, data hiding analysis,and application and file analysis. The ownership and possession analysis is employed to ascertain the person who created, retrieved, and changed documents on a computer system. The time-frame analysis is employed to generate a timeline of the intruder performed the act using time stamps. Data hiding analysis as the name implies is employed to search for hidden information in the devices. Attackers or intruders employ various data-hiding methods to hide their illegal events and finding informationsuch as using encryption, changing file extensions, password-protecting devices and specific content, and hiding partitions (UNODC, 2019). The application and file analysis is employed to scrutinize applications and documents in the digital devices to ascertain the intruder’s knowledge of and intent and capabilities to commit cybercrime. The purpose of the examination is to reconstruct the crime answering the questions who, what, where, when, and how through identification, collation, and connecting of data. The outcomes of the examinations are recorded in a report which should precise, and clear. The report should have demonstrative materials and supporting evidence such as chain of custody, together with methods employed and steps used to obtain data.

Interview Forms and questions

Interview questions for witnesses

• when was the cybercrime committed by the attacker?
• what types of documents were open during intrusion?

Interview questions for coworkers

• what type of information was accessed by the intruder?
• Where the physical and digital evidence located?

Interview questions for the company

• How did the police take the cybercrime committed??
• How the evidence can be preserved and maintained for court proceedings?
• What methods are employed to bypass digital security programs?
• What officials of the organizations could be involved in accessing computer networks illegally?
• What other technical tricks could be employed in the illegal concealment of the data?
• What sources of data or measures of data security the company has obtained from the intruder?
• Where did the illegal penetration into the computer network of the company take place?
• If the penetration was committed in another country, what are the jurisdictional limitations?
• What ways could have been employed in illegal penetration where the computer tools were placed?
• Are there different protocols employed between finding an internal or external data breach?
• Until the current crime, how many cybercrime cases have taken place, and to what extent?

Investigative Timeline

In a digital forensic investigation, time is an important element that the investors must put into consideration especially when performing digital forensic analysis. To effectively complete the whole digital forensic investigation process and perform all phases efficiently, time must be estimated allocating each stage time required to finish particular tasks. Various studies have discovered that it takes an average of nine months to identify, collect, acquire, preserve, analyze, and issue a comprehensive report on digital evidence obtained. The following are vital activities or phases that make up the time estimation of the digital forensic investigation. These activities include meetings with various parties in the company, interviews with key parties, identification of the information, collection of information, acquisition of evidence, preservation of acquired evidence, analysis of the evidence collected, evidence presentation or reporting, and decisions taken on evidence basis by the court. The following table displays each activity with the time estimate required for completion.

Table 1:Timeline

Activity	Period
Meetings with various parties in the company	3 Weeks
Interviews with key parties in the company	3 Weeks
Identification of information	3 Weeks
Collection of information	1 Month
Acquisition of evidence	1 Month
Preservation of acquired evidence	2 Months
Analysis of evidence collected	1 Month
Evidence presentation or reporting	1 Month
Court’s decisions on evidence presented	1 Month

 

Investigative Budget

Forensic digital investigations can be costly depending on the size of the organization as the larger it is the more data it will have that will need to be examined (Ellis, 2016).The investigation can involve one or more forensic investigators examining a mountain of data for the company. The following are tables showing the costs for equipment budget and labor budget.

Table 2: Equipment Budget

Equipment	Amount
Card brand compromise fees	$5,000 – $5,000,000+
Free credit monitoring for affected individuals	$10 – 30/card
Card re-issuance penalties	$3 – $10 per card
Security updates	$15,000+
Breach notification costs	$1,000+
Technology repairs	$5,000+

 

Table 3: Labor Budget

Labor item	Amount
Forensic Investigators fee	$5,000 – $50,000
Lawyer fee	$5,000+
Onsite QSA assessments following the breach	$20,000 – $100,000

 

Conclusion

The digital forensic investigation in the cyber world is essential especially when an act has been committed by the attacker. The key information should be availed by relevant individuals in the case comprehensively ensuring nothing is missed which can cause stagnation in the investigation. Forensic tools and resources should be assembled for the forensic investigators to perform their work effectively. The investigation phases such as identification, collection, acquisition, preservation, analysis, and reporting should be observed if the investigation team will need to have a relevant conclusion after investigation. The time factor is essential to ensure the investigation process is completed as scheduled.

References

Brush, K. (2020). Cybercrime. TechTarget. Retrieved from https://searchsecurity.techtarget.com/definition/cybercrime

Ellis, D. (2016). What Does a Cyber Forensic Investigation Do and How Much Does It Cost? Security Metrics. Retrieved from https://www.securitymetrics.com/blog/what-does-cyber-forensic-investigation-do-and-how-much-does-it-cost

H-11 Digital Forensics. (2018). The Best Open Source Digital Forensic Tools. Retrieved from https://h11dfs.com/the-best-open-source-digital-forensic-tools/

Leo Cyber Security. (2017). Digital Forensic Tools. Retrieved from https://leocybersecurity.com/wp-content/uploads/2017/11/16-Digital-Forensic-Tools.pdf

Scientific Working Group on Digital Evidence (SWGDE). (2018). SWGDE Best Practices for Computer Forensic Acquisitions. Retrieved from https://drive.google.com/file/d/1KeEI1DUkSE2DSPZyPFEFIGfzbZS3-zZC/view

Scientific Working Group on Digital Evidence (SWGDE). (2018). SWGDE Best Practices for Digital Evidence Collection. Retrieved from https://drive.google.com/file/d/1zP4OgpRrj-t9sVGNcqndqIgsemq7u5XQ/view

Software Engineering Institute. (2016). Volatile Data Collection. Carnegie Mellon University. Retrieved from https://fedvte.usalearning.gov/courses/CSI/course/videos/pdf/CSI_D01_S05_T01_STEP.pdf

UNODC. (2019). Practical Aspects of Cybercrime Investigations and Digital Forensics. Retrieved from https://www.unodc.org/e4j/en/cybercrime/module-6/key-issues/handling-of-digital-evidence.html