Chapter 20 - 05: Cybersecurity Forensic Investigation Phases - PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Certified Cybersecurity Technician Computer Forensics PDF
- Chapter 20 - 03 - Identify the Roles and Responsibilities Of a Forensic Investigator PDF
- Computer Forensics - Certified Cybersecurity Technician - Exam 212-82 PDF
- Computer Forensics Exam 212-82 PDF
- Digital Forensics Chapter 2 PDF
- Computer Forensics Fundamentals PDF
Summary
This document discusses various forensic investigation phases in cybersecurity and computer forensics, with a focus on the "Planning the Search and Seizure" and "Evidence Preservation" phases. The content outlines the necessary steps and considerations involved in these processes.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Investigation Phase: Planning the Search and Seizure A search and seizure plan should contain the following d...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Investigation Phase: Planning the Search and Seizure A search and seizure plan should contain the following details: ° Description of the incident ° Creating a chain of custody document ° Case name or title of the incident ° Details of equipment to be seized ° Location of the incident ° Search and seizure type (overt/covert) o Applicable jurisdiction and relevant legislation ° Approval from local management ° Determining the extent of authority to search ° Health and safety precautions Investigation Phase: Planning the Search and Seizure The investigators need to design a strategic process to conduct the search and seizure activity. This will help them distribute tasks among the team members to complete the seizure and allow the team to use time and tools in a well-defined manner. The search and seizure plan should include the following details: = Description, title, and location of the incident = Applicable jurisdiction, relevant legislation, and organizational policy = Determining the extent of authority to search = (Creating a chain of custody document = Details of equipment to be seized, such as structure type and size, location (all in one place, spread across the building or floors), type of device and model number, power status, network status and type of network, backups (if any), last time and date, location of backup and if it is necessary to take the server down and the business impact of this action = Search and seizure type (overt/covert) = Approval from the local management = Health and safety precautions, such as all forensic teams wearing protective latex gloves for all searching and seizing operations onsite to protect the staff and preserving any fingerprints that may come handy in the future Module 20 Page 2215 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics The investigating team cannot jump into the action immediately after chalking out a plan for search and seizure; they must follow a specific protocol and perform some legal formalities that include obtaining warrant, collecting information about the incident, and seeking authorization and consent. Module 20 Page 2216 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Investigation Phase: Evidence Preservation @ Evidence preservation refers to the proper handling and d documentation of evidence to ensure that it is free from any contamination T Any physical and/or digital evidence seized should be isolated, secured, transported and preserved to protect - its true state At the time of evidence transfer, both the sender and the receiver need to provide information about the date and time of transfer in the chain of custody record The procedures used to protect the evidence and document it while collecting and shipping are as follows: * The logbook of the project » A tag to uniquely identify any evidence »* A chain of custody record Investigation Phase: Evidence Preservation Understanding the importance of preserving evidence is important because forensic evidence is fragile in nature and can be easily tampered with. It is essential to safeguard the integrity of the evidence to render it acceptable in a court of law. The handling and preservation of evidence are some of the most significant aspects of digital forensic investigation. Investigators should take all necessary steps to ensure that the evidence remains in its true state, exactly as it was found at the crime scene. At the time of evidence transfer, both the sender and the receiver need to provide information about the date and time of transfer in the chain of custody record. The following are required to protect the evidence and document it while collecting and shipping: = The logbook of the project to record observations related to the evidence = Atagto uniquely identify any evidence = A chain of custody record Module 20 Page 2217 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Investigation Phase: Data Acquisition Forensic data acquisition is a process of imaging or collecting information from various media in accordance with certain © standards for analyzing its forensic value Investigators can then forensically process and examine the collected data to extract information © relevant to any particular case or incident while protecting the integrity of the data It is one of the most critical steps of digital forensics as improper acquisition may alter data in evidence media, ©) and render it inadmissible in the court of law @ Investigators should be able to verify the accuracy of acquired data, and the complete process should be auditable and acceptable to the court Investigation Phase: Data Acquisition During the investigation of digital devices, all the evidence may be present in the form of data. Therefore, the investigators should have expertise in acquiring the data stored across various devices in different forms. Data acquisition is the use of established methods to extract Electronically Stored Information (ESI) from a suspect computer or storage media in order to gain insight into a crime or an incident. Forensic data acquisition is a process of imaging or collecting information from various media in accordance with certain standards in order to analyze its forensic value. Investigators can then forensically process and examine the collected data to extract information relevant to any particular case or incident while protecting the integrity of the data. It is one of the most critical steps of digital forensics as any improper acquisition may alter data in evidence media and render it inadmissible in the court of law. Forensic investigators should be able to verify the accuracy of acquired data, and the complete process should be acceptable and reproducible in the court. Before acquiring the data, the investigator needs to ensure that their storage device is forensically clean and then initiate write protection to secure and protect original evidence. Module 20 Page 2218 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Investigation Phase: Data Analysis " 2 WY ’/' y vs i J:. L OQO This phase includes the following: = Analysis of the file’s content, date 0O O Data analysis techniques depend and time of file creation and on the scope of the case or the modification, users associated with file creation, access and file client’s requirements at - QO Data analysis refers to the process @ client’s requirements :"Odlflcat'?nr; and modification, a?tli physical physical storage storage of examining, exarr?inlng, ident‘ifylng, identifying, — location ocation ofof the the filefile. _ e | separating, converting, and *= Timeline generation.m°de“n§ data to isolate useful f“°d°""§ *= |dentification of the root cause of information the incident the incident Investigation Phase: Data Analysis Data analysis refers to the process of examining, identifying, separating, converting, and modeling data to isolate useful information. In the forensic investigation, data analysis helps in gathering and examining data to find its relevance with the incident in order to submit the findings to an authority for conclusions and decision-making. Investigators must thoroughly analyze the acquired data to draw conclusions related to the case. Here, data analysis techniques depend on the scope of the case or client’s requirements and the type of evidence. This phase includes the following: *= Analyzing the file content for data usage = Analyzing the date and time of file creation and modification * Finding the users associated with file creation, access, and file modification = Determining the physical storage location of the file = Timeline generation = |dentifying the root cause of the incident Identify and categorize data in order of relevance to the case, such that the most relevant data serve as the most important evidence to the case. Module 20 Page 2219 Certified Cybersecurity Technician Copyright © by EG-Council EG-Bouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Investigation Phase: Case Analysis Investigators can relate the evidential data to the case details for understanding how the complete incident took place and determining the future actions such as the following: Determine the possibility of exploring Gather additional information Consider the relevance of other investigative procedures to gather related to the case (e.g., aliases, D components that are out of the additional evidence (e.g., checking host email accounts, ISP used, names, scope of investigation; for data and examining network service logs network configuration, system example, equipment such as for any information of evidentiary value, logs, and passwords) by laminators, check paper, collecting case-specific evidence from interviewing the respective scanners, and printers in case of social media, identifying remote storage individuals any fraud; or digital cameras in locations etc.) case of child pornography Copyright ©© by Copyright by EE IL.. All All Rights Rights Reserved. Reserved. Reproduction ReproductionIsis Strictly Strictly Prohibited, Prohibited. }| Investigation Phase: Case Analysis Case analysis is the process of relating the obtained evidential data to the case in order to understand how the complete incident took place. In this phase, the investigator assesses the impact of the incident on the organization, reasons and source of the incident, steps required to tackle the incident, the investigating team required to handle the case, investigative procedures, and possible outcome of the forensic process. Case analysis is important to implement a proper plan in handling the case and achieving the desired results. Case analysis might help the investigators in determining future actions, such as the following: = Check if there is a possibility to follow other investigative methods to, for instance, identify a remote storage location, examine network service logs for any information of evidentiary value, collect case-specific evidence from social media, identifying remote storage locations etc.) = Gather additional information related to the case (e.g., aliases, email accounts, ISP used, names, network configuration, system logs, and passwords) by interviewing the respective individuals. = |dentify the relevance of various network elements to the crime scene such as credit cards, check papers, scanners, and cameras = Consider the relevance of peripheral components to the investigation; for instance, in forgery or fraud cases, consider non-computer equipment such as laminators, check paper, scanners, and printers, or in child pornography cases, consider digital cameras Module 20 Page 2220 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.