Post-investigation Phase: Gathering and Organizing Information PDF

Summary

This document outlines the post-investigation phase of forensic investigations. It details methods for gathering and documenting evidence, for supporting conclusions and creating reports. It suggests the writing process for comprehensive, concise, technically accurate, and legally sound reports. The overall focus is on providing a thorough and accurate summary of an investigation for use in a court setting.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Post-investigation Phase: Gathering and Organizing Information Pro...

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Post-investigation Phase: Gathering and Organizing Information Procedures Following are the procedures for gathering and organizing the required documentation: = Gather all notes from different phases of the investigation process ' * Identify the facts to be included in the report for supporting the |dentify J " conclusions *= List all the evidence to submit with the report *= List the conclusions that need to be in the report * Organize and classify the information gathered to create a concise and accurate report Copyright ©© by Copyright by Al Rights Al Reserved. Rights Reserved. Reproduction isIs Strictly Reproduction Strictly Prohibited. Prohibited. Post-investigation Phase The responsibility of the investigators does not end with finding and analyzing the evidence data. They should also be able to explain how they arrived at the conclusion to the prosecutors, attorneys, and judges. The post-investigation phase involves the reporting and documentation of all the actions undertaken and the findings during the course of an investigation and the procedure of testifying as an expert witness in the court. This section provides guidelines on how to write an investigation report and testify as an expert witness. Post-investigation Phase: Gathering and Organizing Information = |dentification Identification Documentation in each phase should be identified to decide whether it is appropriate to the investigation and should be organized in specific categories *= Procedures Following are the procedures for gathering and organizing the required documentation: o Gather all notes from different phases of the investigation process o Identify the facts to be included in the report for supporting the conclusions o List all the evidence to submit with the report o List the conclusions that need to be in the report o Organize and classify the information gathered to create a concise and accurate report Module 20 Page 2221 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Post-investigation Phase: Writing the Investigation Report Report writing is a crucial stage in the The report should be clear, concise, and written for the Important aspects of a good report: It should accurately define the details of an incident N It should convey all necessary information in a concise manner N It should be technically sound and understandable to the target audience Y It should be structured in a logical manner so that information can be easily located N It should be able to withstand legal inspection N It should adhere to local laws to be admissible in court A Post-investigation Phase: Writing the Investigation Report Report writing is a crucial stage in the forensic investigation process, as it summarizes the whole investigation into a readable report to be presented in a court of law. Based on the accuracy and certainty of this report, the court will prosecute the suspects. The report should be clear, concise, and written for the appropriate audience. The report should be in the local language if necessary and devoid of any jargon. It should include only the data related to the case and the evidence. Every statement should have a supporting document or evidence. The report should also give a detailed account of the incidents by emphasizing the discrepancies in the statements of the witnesses. It should be a well-written document that focuses on the circumstances of the incident, statements of the witnesses, photographs of the crime scene, reference materials leading to the evidence, schematic drawings of the computer system, and the network forensic analysis report. The conclusions of the investigation report should be based on facts and not the opinions of the investigators. An investigator should draft the documentation by considering that the defense team will also scrutinize it. Aspects of a good investigation report include the following: = |t should accurately define the details of an incident. = |t should convey all necessary information in a concise manner. = |t should be technically sound and understandable to the target audience. = |t should be structured in a logical manner so that information can be easily located. = |t should be created in a timely manner. = |t should be able to withstand legal inspection. Module 20 Page 2222 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics * |t should include conclusions that can be completely reproduced by a third-party. = |t should try to answer questions raised during a judicial trial. = |t should provide valid conclusions, opinions, and recommendations supported by figures and facts. = |t should adhere to local laws to be admissible in court. Module 20 Page 2223 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics 0O Executive summary v Case number NN v" Names and Social Security Numbers of authors, investigators, and examiners v' Purpose of investigation N v Significant findings N AR v Signature analysis Q Investigation objectives 0QO Details of the incident v' v’ Date and time the incident allegedly occurred vv' Date and time the incident was reported to the agency’s personnel v' Details of the person or persons reporting the incident Q Investigation process v’ v' Date and time the investigation was assigned v Allotted investigators v Nature of the claim and information provided to the investigators 0O Evidence information QO O Relevant findings ¥"¥' Location of the evidence O Supporting Files v'v List of the collected evidence v7 Attachments and end appendices sppendices v¥" Tools involved in collecting the evidence ¥v Full poth path of the Bmporient important fles files v’ Preservation of the evidence v Expert reviews raviews snd and opinion oplilon QO O EEvaluati i Evaluation andd analysis analysisi Pro Process O Ofer sapns details r—— s — QO Other supporting details v¥ Initial evaluation of the evidence v’ Attacker’s methodology v’v Investigative techniques v User’s applications and Internet v¥ Analysis of the computer evidence activity (Tools involved) v"v' Recommendations Forensics Investigation Report Template An Investigative Report Template is a set of predefined styles allowing investigators to add different sections of a report such as the case number, names and social security numbers of the authors, objectives of the investigation, details of the incident, executive summary, investigation process, list of findings, and tools used. Module 20 Page 2224 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Every investigative report starts with a unique case number, followed by names as well as the social security number of the authors, investigators, and the examiners involved in the investigation. The report covers all the details of the incident that are updated with the daily progress in the investigative process. It includes every detail of the evidence such as location, list of the collected evidence, tools used in the investigation, and the process of extracting and preserving the evidence. It should also record the evaluation and analysis procedure starting from the initial evaluation of the evidence to the techniques used in the investigation, including the analysis of electronic/digital evidence with the relevant files, supporting documents like attachments and appendices, and the path of the files. The report should also include reviews by experts with supporting details on the attacker’s intention, appliances used, Internet activity, and recommendations. 4 Executive summary 4 Evidence information @ Case number @ Location of the evidence © Names and Social Security Numbers of authors, @ Listof the collected evidence investigators, and examiners @ Tools involved in collecting the evidence @ Purpose of investigation @ Preservation of the evidence e Significant findings 4 Evaluation and analysis Process e Signature analysis @ Initial evaluation of the evidence J Investigation objectives ¢ Investigative techniques @ Details of the incident & Analysis of the computer evidence (Tools involved) e Date and time the incident allegedly occurred 9 Relevantfindings & Date and time the incident was reported to the agency’s 4 Supporting Files personnel ¢ Attachments and appendices ¢ Details of the person or persons reporting the incident & Full path of the important files W Investigation process e Expert reviews and opinion e Date and time the investigation was assigned J Other supporting details ¢ Allotted investigators @ Attacker’s methodology & Nature of the claim and information provided to the @ User’s applications and Internet activity investigators & Recommendations Figure 20.3: Forensics investigation report template Module 20 Page 2225 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Post-investigation Phase: Testifying as an Expert Witness — Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and.“.“. sometimes complex technology ° " Familiarize the expert witness with the usual procedures that are 1 followed during a trial Things that take place.I i A The attorney introduces the expert witness in the court ° P room 1 X ° I The opposing counsel may try to discredit the expert witness I The attorney leads the expert witness through the evidence 1 ° I Later, it is followed by the opposing counsel’s cross-examination Post-investigation Phase: Testifying as an Expert Witness As the attorney, prosecutors, and other panels present in a court of law may be unaware of the technical knowledge of the crime, evidence, and losses, the investigators should approach authorized personnel who could appear in the court as an expert witness to affirm the accuracy of the process and the data. An expert witness must consider certain factors while testifying in the court. They should gather sufficient information on standard procedures during a trial and must never query their attorney in this regard. Before the expert witness testifies in court, the attorney first introduces them to the court with high regard and discloses the expert’s credentials and accomplishments to establish credibility with the jury. However, the opposing counsel may try to challenge or question the expert’s reputation by further revealing the expert’s past failures relevant to the case, if any. The attorney leads the expert witness through the evidence and explains the latter’s role concerning the evidence such that it is comprehensible to the jury, audience, and the opposing counsel. A cross-examination by the opposing counsel follows, who then questions the expert witness on their description of the evidence and the methods they followed while collecting and analyzing the evidence. Module 20 Page 2226 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser