Chapter 20 - 04 - Understand the Forensic Investigation Process and its Importance_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow Digital Evidence Sources...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow Digital Evidence Sources Understand the Fundamentals to Support Forensic of Computer Forensics Investigation Understand Digital Evidence Collecting the Evidence Identify the Roles and Responsibilities of a Forensic Securing the Evidence Investigator Understand the Forensic Overview of Data Investigation Process and Acquisition its Importance Discuss Various Forensic Performing Evidence Investigation Phases Analysis Understand the Forensic Investigation Process and its Importance This section presents an overview of the forensic investigation process and outlines the need to follow a well-documented and thorough investigation process. Module 20 Page 2200 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics. 2 o o A Q | A methodological approach to investigate, seize, and analyze ‘ digital evidence and then manage the case from the time of X I/j search and seizure to reporting the investigation result Forensic Investigation Process The computer forensics investigation process includes a methodological approach to investigate, seize, and analyze digital evidence and then manage the case from the time of search and seizure to reporting the investigation result. Module 20 Page 2201 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Importance of the Forensic Investigation Process As digital evidence is fragile in nature, following strict guidelines and thorough forensic investigation process that ensures the integrity of evidence is critical to prove a case in the court of law The forensics investigation process to be followed should comply with local laws and established precedents. Any breach/deviation may may jeopardize the complete investigation The investigators must follow a repeatable and well- documented set of steps such that every iteration of analysis provides the same findings; else, the findings of the investigation can be invalidated during the cross examination in a court of law cil. AllAll Rights cll. Rights Reserved. Reproductio is Strictly Prohibited Reserved. Reproduction Importance of the Forensic Investigation Process The rapid increase in cybercrimes, ranging from theft of intellectual property to cyber terrorism, along with litigations involving large organizations, has made computer forensics investigation necessary. The process has also led to the development of various laws and standards that define cybercrimes, digital evidence, search and seizure methodology, evidence recovery, and investigation processes. The investigators must follow a forensics investigation process that complies with local laws and established standards; any deviation/breach may jeopardize the complete investigation. As digital evidence is fragile, following strict guidelines and a proper and thorough forensic investigation process that ensures the integrity of evidence is critical to proving a case in a court of law. The investigators must follow a repeatable and well-documented set of steps such that every iteration of the analysis yields the same findings; otherwise, the findings of the investigation can be invalidated during cross-examination in a court of law. The investigators should adopt standard computer forensics processes; this way, the jury can replicate the process whenever required. Module 20 Page 2202 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Phases Involved in the Forensics Investigation Process O Pre-investigation Investigation Post-investigation Phase Phase Phase O Deals with tasks to be O The main phase of the O Includes documentation of all performed prior to the computer forensics actions undertaken and all commencement of the actual investigation process findings uncovered during the investigation investigation Involves setting up a computer Q Involves acquisition,. forensics lab, building a preservation, and analysis of Qa Ensgres that the report is easily forensics workstation, evidentiary data to identify the explicable to the target developing an Investigation investigation source of the crime and the audience and that it provides toolkit, setting up an culprit behind it adequate and acceptable investigation team, getting evidence approval from the relevant authority, etc. Copyright © by EC-Councll. Al All Rights Rights Reserved. Reproduction Isis Strictly Prohibited. Phases Involved in the Forensics Investigation Process Discussed below are different phases of the computer forensics investigation process: Pre-investigation Phase This phase involves all the tasks performed prior to the commencement of the actual investigation. It involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit, building an investigation team, getting approval from the relevant authority, etc. This phase also includes steps such as planning the process, defining mission goals, and securing the case perimeter and involved devices. Investigation Phase Considered to be the main phase of the computer forensics investigation, the investigation phase involves acquisition, preservation, and analysis of the evidentiary data to identify the crime source and the culprit. This phase involves implementing the technical knowledge to locate the evidence and examine, document, and preserve the findings as well as the evidence. Trained professionals perform all the tasks involved in this phase to ensure the quality and integrity of the findings. Post-investigation Phase This phase involves the reporting and documenting of all actions undertaken, and the findings obtained during the course of an investigation. It ensures that the target audience can easily understand the report and that it provides adequate and acceptable evidence. Every jurisdiction has set standards for reporting the findings and evidence; the report should comply with all such standards as well as be legally sound and acceptable in a court of law. Module 20 Page 2203 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.