Abstract

This project work is about a digital forensic investigation that involves two computers and a thumb drive. The data in these devices will be securely protected to validate evidence of the crime committed using the devices. More so, validation of recovery data from computers and a mobile data storage device require legal process and procedures in fighting the cybercrime using forensic investigation methodology.

Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Essay Writing Service

Furthermore, this project will explain the need for securing the data involves in the investigation to prevent potential loss of data and the creation of a formidable chain of custody to secure the devices. Also, a process of transferring the devices to a forensic laboratory and maintain necessary documentation of the process and procedures will be elaborated in the project work.

Similarly, this project will explain how to design investigative interview questions that establish the need for the case that will focus on investigative efforts. Also, we shall discuss what resources needed to process the investigation in terms of forensic tools, contingency plans, and time estimates required to complete the investigation. Finally, the above steps shall be used to develop a comprehensive investigation project plan.

Preliminary Work on Investigation Inventory Plan

The purpose of digital forensic is to provide a viable answer to legal questions to prove or otherwise to a court case of cyber-crime committed in a law court. Investigating cybercrime required a review of forensic laws and regulation as well as an active inventory of devices that contain evidence of the crime to prevent loss of valuable data. Investigating cybercrime that involved two computers and a thumb drive lead my team to meet with lead detectives and the prosecutor handling the case for a collaborative effort in investigating the cybercrime.

Firstly, my team will develop a questionnaire to establish key people and activities that address the potential criminal activity, timelines and the people who need to be investigated. The process preliminary work on cybercrime investigation of electronic evidence involves searching, interviewing, interrogating, collecting and preserving evidence. Secondly, the process will start with planning and report of the relevant electronic evidence using relevant digital forensic tools and chain of custody that will ensure the security and proper documentation of the electronic crime evidence. (Computer Forensic Toolkit,2018)

 More so, according to NFSTC (2013), it was stated that wireless devices “Should be isolated and examined initially in a designated isolated chamber”. The Investigation inventory plan will involve the following process;

Interview protocol and Documentation Identification- The documentation for a forensic investigation consists of affidavits of probable cause; warrant applications to authorize the search; search warrant; First Responder Seizure Record Form; Chain of Custody Form, and the Case Work Log.

i). The search and seizure were conducted for data acquired from a private-sector workplace.

ii). The purpose for the investigation is to discover content which violates the terms of use for the employees of the workplace and to identify the owner(s) of the compromising data and processes and determined the motives of the cybercrime committed using the stated devices.

iii). The time frame to cover was 2 months.

iv). The search and seizure are for hardware and the information contained in the devices. Two computers and thumb drive were acquired by the authority of a search warrant.

v). The scope of discovery is limited to items related to warrant or subpoena for 2 computers and thumb drive. However, if some percentage of the data is unrelated to the case, the method and justification for the acquisition of the data must be defended in the examination process to justify whether a forensic investigation needed to meet the objectives of the investigation cybercrime committed using two computers and a Thumb drive. (www.nap.edu)

The Plain View doctrine dictates that “the evidence of a crime is subject to seizure in the absence of a warrant when the investigator is in a legal position to openly observe and access the evidence (USOLE, 2009). Therefore, if female trafficking scene was discovered in a search for bank fraud, the investigator must explain the process of how it was discovered. A Plain view may constitute images or names that are displayed on the computer screen upon discovery.

vi). Applicable industry compliance begins with the United States’ Constitution Fourth Amendment, which addresses search and seizure laws for computers and the Internet. Apart from the Fourth Amendment, laws in the context of statutory privacy and search warrant requirements are applied, to include U.S.C §2510-22 U.S.C §3121-27, U.S.C §2701-12, 18 U.S.C. §2703(c) and the stored Communications Act (SCA) (USOLE, 2009; NFSTC, 2013).

The “reasonable expectation to privacy” tests; exceptions to the warrant requirements for computers; and challenges of post-seizure activity are also outlined.

b). Agencies involved in the forensic investigation include the Computer Forensics Laboratory; the Digital Forensics Certification Board; task forces. Moreover, the National Institute of Justice presented that “digital evidence may be handled or examined solely by trained experts and specialists from the forensics industry and local law enforcement who have complete First Responder training” (NFSTC, 2013).

c). Chain of custody – Failure to properly document, photograph, and store digital evidence during the chain of custody can constitute an improper search (Chen, 2013), The Fourth Amendment “analogizes electronic storage devices to a briefcase or closed container” in order to define the boundaries of search and seizure of data (USOLE, 2009). The management plan for the investigation encompasses the following:

As the Exhibit Custodian, each item was tagged with the date and case number and transported to be forensically analyzed. The computers and thumb drive were photographed and the connectors for the computers were labeled and photographed. A First Responder Seizure Record Form was completed. All images were compressed and backed up on the forensic image drive and a copy was also created on a second hard disk. The working copy was then hashed to validate the images collectively.

A tape copy of forensic server disk was run and attached to the first image disk. All exhibits were resealed and returned to the property storage or a designated fireproof safe. A Faraday bag was used to transport mobile devices to a lab for analysis without turning the device off, which reduces the potential for data loss. Before processing the data, a Case Work Log was established to record the activities during the examination.

Identification of Resources

The Team of personnel that involve in cybercrime forensic investigation includes company leadership, the first responder, the digital forensics team, information technology and crime scene technicians, the local law enforcement and judicial agencies ,and the team will be coordinated by forensic leader to secure the crime scene and prepare risk assessment of the devices ( 2 computers and thumb drive), prepare the logs, create narrative and making conflict resolution.

Forensic Imaging tools

The tools to be used for forensic investigation to search and seize devices in question (2 computers and Thumb drive) must be acceptable in a law court. The tools selection will be governed by the type of devices and operating systems used by the suspected parties- There are several other tools for acquiring data, and most of these tools are software-based which required training to complete the collection phase. The following tools are used in a forensic investigation;

   i)       Drive Duplicator

   ii)      Target HDDs with enough capacity to store data from copies

   iii)     PC Tool Kit

   iv)     Computer or notebook to run forensic imaging software

   v)      Digital camera for image captures

   vi)     ESD mat and strap

   vii)    Write Blocker (Tableau)

   viii)   Encase software; Windump software is used to retrieve deleted data and the                 physical location of the user when the data was created.

   ix) Raid storage for Encase (InfoSec Institute)

Plan for Conducting Investigation

Planning for conducting an investigation is very critical to the digital forensic investigation and there should be a standard operating procedure (SOPs) to follow for proper documentation and quality control to perform a routine operation. Rather than size an entire computer for offsite analysis, a digital copy of the hard drive may be created that is identical to the original and this duplicate is been refers to as an “image copy” that will “ duplicate every bit and byte on the target drive including files, the slack space, master file table, and metadata in exactly the order they appear on the original “ ( Kerr, 2005).

For this case, we use a widely acceptable guideline – scientific working group on digital evidence (SWGDE). SWGDE create defines examination requirement s, process structures, and documentation. There are four steps in conducting the investigation using SWGDE-

Visual Inspection; This inspection will allow determination of the type of evidence, its condition and related relevant information to conduct the examination.

Forensic Duplication: This is a situation where a duplicate version of the original evidence will be used for the forensic examination. It is always recommended to work on a forensic copy than the original copy for examination.

Media Examination: The is the actual usage of the hard drive of the Computers and the Thump drive that contain digital data.

Evidence Return:  The exhibits that were used for the examination are to be returned to an appropriate and secure location (Infosec institute, 2019)

The actual process and procedures to collect the evidence in line with the above guidelines are as follows;

                       1)      Installation of write-blocking software to prohibit alterations to the data-.                                                   Create a working copy.

  ii)    Selection of extraction method that will “most effectively parse the relevant                                                   data and view the content” (NFSTC, 2013).

  iii)    Document the devices, documentation and ancillary equipment that was                                                   discovered along with subsequent handling.

  iii)   Submission of original media and devices for the traditional examination

                                 (NFSTC, 2013).

  iv)    Examine collected data, search for hidden data, and restore hidden or deleted                                      files.

Conclusion

 The search and seizure encompass a seizure of hardware from a workplace to discover breaches in company terms and conditions for use of the devices and access to the company network. The investigation plan consists of:

•         Development of a guide for required personnel, procedures, and technical requirements

•         Establish the object of the search

•         Communicate strategy for evidence collection and evidence preservation

•         Predefine the strategy for data examination and analysis (Abdalla, Hazem & Hashem, 2007)

During the time it takes to create a working copy, typically 1 business day, a review of documentation is done to get what is being searched for and the time frame if any. This will assist to limit the scope of the search. Once working Copy is ready each lab tech will take their respective deceived to their ESD shield workspace to create an encase file to begin the search of the data. Search parameters are limited to target material and time frame. Search patterns and items must be documented. The chain of custody validates the methods of data tracking, recovery, and security within the scope of the law (Norwich University,2017)

References