Chapter 20 - 05 - Discuss Various Forensic Investigation Phases - 04_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Post-investigation Phase: Gathering and Organizing Information

Procedures

Following are the procedures for gathering and organizing the
required documentation:

= Gather all notes from different phases of the investigation process '

* Identify the facts to be included in the report for supporting the
|dentify J "
conclusions

*= List all the evidence to submit with the report

*= List the conclusions that need to be in the report

* Organize and classify the information gathered to create a concise
and accurate report

Copyright ©© by
Copyright by Al Rights
Al Reserved.
Rights Reserved. Reproduction isIs Strictly
Reproduction Strictly Prohibited.
Prohibited.

Post-investigation Phase
The responsibility of the investigators does not end with finding and analyzing the evidence
data. They should also be able to explain how they arrived at the conclusion to the prosecutors,
attorneys, and judges. The post-investigation phase involves the reporting and documentation
of all the actions undertaken and the findings during the course of an investigation and the
procedure of testifying as an expert witness in the court.
This section provides guidelines on how to write an investigation report and testify as an expert
witness.
Post-investigation Phase: Gathering and Organizing Information
= |dentification
Identification
Documentation in each phase should be identified to decide whether it is appropriate to
the investigation and should be organized in specific categories
*= Procedures
Following are the procedures for gathering and organizing the required documentation:
o Gather all notes from different phases of the investigation process
o Identify the facts to be included in the report for supporting the conclusions
o List all the evidence to submit with the report
o List the conclusions that need to be in the report
o Organize and classify the information gathered to create a concise and accurate
report

Module 20 Page 2221 Certified Cybersecurity Technician Copyright © by EG-Council
EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Post-investigation Phase: Writing the Investigation Report

Report writing is a crucial stage in the

The report should be clear, concise, and written for the

Important aspects of a good report:

It should accurately define the details of an incident
N

It should convey all necessary information in a concise manner
N

It should be technically sound and understandable to the target audience
Y

It should be structured in a logical manner so that information can be easily located
N

It should be able to withstand legal inspection
N

It should adhere to local laws to be admissible in court
A

Post-investigation Phase: Writing the Investigation Report
Report writing is a crucial stage in the forensic investigation process, as it summarizes the
whole investigation into a readable report to be presented in a court of law. Based on the
accuracy and certainty of this report, the court will prosecute the suspects. The report should
be clear, concise, and written for the appropriate audience. The report should be in the local
language if necessary and devoid of any jargon. It should include only the data related to the
case and the evidence. Every statement should have a supporting document or evidence.

The report should also give a detailed account of the incidents by emphasizing the
discrepancies in the statements of the witnesses. It should be a well-written document that
focuses on the circumstances of the incident, statements of the witnesses, photographs of the
crime scene, reference materials leading to the evidence, schematic drawings of the computer
system, and the network forensic analysis report. The conclusions of the investigation report
should be based on facts and not the opinions of the investigators. An investigator should draft
the documentation by considering that the defense team will also scrutinize it.

Aspects of a good investigation report include the following:

= |t should accurately define the details of an incident.
= |t should convey all necessary information in a concise manner.
= |t should be technically sound and understandable to the target audience.
= |t should be structured in a logical manner so that information can be easily located.
= |t should be created in a timely manner.
= |t should be able to withstand legal inspection.

Module 20 Page 2222 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

* |t should include conclusions that can be completely reproduced by a third-party.
= |t should try to answer questions raised during a judicial trial.
= |t should provide valid conclusions, opinions, and recommendations supported by
figures and facts.
= |t should adhere to local laws to be admissible in court.

Module 20 Page 2223 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

0O Executive summary
v Case number
NN

v" Names and Social Security Numbers of authors, investigators, and examiners
v' Purpose of investigation
N

v Significant findings
N
AR

v Signature analysis
Q Investigation objectives
0QO Details of the incident
v'
v’ Date and time the incident allegedly occurred
vv' Date and time the incident was reported to the agency’s personnel
v' Details of the person or persons reporting the incident
Q Investigation process
v’
v' Date and time the investigation was assigned
v Allotted investigators
v Nature of the claim and information provided to the investigators

0O Evidence information
QO O Relevant findings
¥"¥' Location of the evidence O Supporting Files
v'v List of the collected evidence v7 Attachments and
end appendices
sppendices
v¥" Tools involved in collecting the evidence ¥v Full poth
path of the Bmporient
important fles
files
v’ Preservation of the evidence v Expert reviews
raviews snd
and opinion
oplilon

QO
O EEvaluati i
Evaluation andd analysis
analysisi Pro
Process O Ofer sapns details
r—— s — QO Other supporting details
v¥ Initial evaluation of the evidence
v’ Attacker’s methodology
v’v Investigative techniques
v User’s applications and Internet
v¥ Analysis of the computer evidence activity
(Tools involved)
v"v' Recommendations

Forensics Investigation Report Template
An Investigative Report Template is a set of predefined styles allowing investigators to add
different sections of a report such as the case number, names and social security numbers of
the authors, objectives of the investigation, details of the incident, executive summary,
investigation process, list of findings, and tools used.

Module 20 Page 2224 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Every investigative report starts with a unique case number, followed by names as well as the
social security number of the authors, investigators, and the examiners involved in the
investigation. The report covers all the details of the incident that are updated with the daily
progress in the investigative process. It includes every detail of the evidence such as location,
list of the collected evidence, tools used in the investigation, and the process of extracting and
preserving the evidence.
It should also record the evaluation and analysis procedure starting from the initial evaluation
of the evidence to the techniques used in the investigation, including the analysis of
electronic/digital evidence with the relevant files, supporting documents like attachments and
appendices, and the path of the files. The report should also include reviews by experts with
supporting details on the attacker’s intention, appliances used, Internet activity, and
recommendations.

4 Executive summary 4 Evidence information
@ Case number @ Location of the evidence

© Names and Social Security Numbers of authors, @ Listof the collected evidence
investigators, and examiners @ Tools involved in collecting the evidence
@ Purpose of investigation @ Preservation of the evidence
e Significant findings 4 Evaluation and analysis Process
e Signature analysis @ Initial evaluation of the evidence
J Investigation objectives ¢ Investigative techniques
@ Details of the incident & Analysis of the computer evidence (Tools involved)

e Date and time the incident allegedly occurred 9 Relevantfindings
& Date and time the incident was reported to the agency’s 4 Supporting Files
personnel ¢ Attachments and appendices
¢ Details of the person or persons reporting the incident & Full path of the important files
W Investigation process e Expert reviews and opinion

e Date and time the investigation was assigned J Other supporting details
¢ Allotted investigators @ Attacker’s methodology
& Nature of the claim and information provided to the @ User’s applications and Internet activity
investigators & Recommendations

Figure 20.3: Forensics investigation report template

Module 20 Page 2225 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Post-investigation Phase: Testifying as an Expert Witness
— Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and.“.“. sometimes complex technology

° " Familiarize the expert witness with the usual procedures that are
1 followed during a trial
Things that
take place.I i A
The attorney introduces the expert witness
in the court ° P
room
1
X ° I The opposing counsel may try to discredit the expert witness

I The attorney leads the expert witness through the evidence

1
° I Later, it is followed by the opposing counsel’s cross-examination

Post-investigation Phase: Testifying as an Expert Witness
As the attorney, prosecutors, and other panels present in a court of law may be unaware of the
technical knowledge of the crime, evidence, and losses, the investigators should approach
authorized personnel who could appear in the court as an expert witness to affirm the accuracy
of the process and the data.

An expert witness must consider certain factors while testifying in the court. They should gather
sufficient information on standard procedures during a trial and must never query their
attorney in this regard. Before the expert witness testifies in court, the attorney first introduces
them to the court with high regard and discloses the expert’s credentials and accomplishments
to establish credibility with the jury. However, the opposing counsel may try to challenge or
question the expert’s reputation by further revealing the expert’s past failures relevant to the
case, if any.

The attorney leads the expert witness through the evidence and explains the latter’s role
concerning the evidence such that it is comprehensible to the jury, audience, and the opposing
counsel. A cross-examination by the opposing counsel follows, who then questions the expert
witness on their description of the evidence and the methods they followed while collecting
and analyzing the evidence.

Module 20 Page 2226 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.