Investigation interviews are an important part of digital forensic investigations but require experience to obtain confessions. Before starting interviews, investigators must thoroughly research the facts of the case and background information on interview subjects. During interviews, investigators should carefully question subjects while following proper methodology and recording all discussions to maintain legal defensibility.
2. CONTENT
• Introduction
• Overview of a Computer Crime
• Digital Investigation Triad
• Initiating Computer crimes investigations
• Some investigations procedures in Corporate environment:
- Employee termination case :Internet abuse
- Employee termination case :Email abuse
- Attorney-Client Privilege investigation (ACP) case
- Media Leak investigations case
• Initiating Interviews in Digital Forensics Investigations
• Interview Methodology
• Investigation Interview Recording
• Investigating a Computer Crime Scene: Electronic devices (Type and Potential evidence)
• Conducting the Investigation on an item
• Precautions to take during Investigation
• The copying Process
• Finalizing the investigation Case
• Conclusion
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
3. INTRODUCTION
• Digital forensics investigation of a Computer is a unique process that comes with so many
challenges:(Understand how computers manipulates bits values - 0 and 1, mastering operating systems,
computer hardware, network operation, etc.)
• Investigation is the act or process of investigating or the condition of being investigated.
• Computer investigation is about conducting systematic search of digital evidence where data are
collected in the most secured and efficient manner.
• Forensics professionals gather evidence to prove that a suspect committed a crime or
violated a company policy.
• Remember: Digital Forensics is not Data recovery
• The success of an investigation operation relies on how good we understand what we are looking
for and how efficient we are in the process of looking for it.
• Investigation of digital devices generally includes:
COLLECTING DATA SECURELY
OBSERVATION AND EXAMINATION OF SUSPECTED DATA
PRESENTATION OF COLLECTED DATA REPRESENTED AS DIGITAL INFORMATION TO COURTS
MAKING USE OF LAWS RELATED DIGITAL EVIDENCE PRACTICES
• Action of conducting a computer investigation therefore require to follow an accepted procedure
• A good case is ensured based on the validity of the Chain of evidence and Chain of Custody
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
4. OVERVIEW OF A COMPUTER CRIME
How do we characterize a crime as “ COMPUTER CRIME” ?
• Computer is used as instrument to further illegal ends, such as
committing fraud, trafficking in child pornography and intellectual property,
stealing identities, or violating privacy.
• Four major categories of computer crimes:
Internal Computer crimes: trojan horses, logic bombs, trap doors,
worms, and viruses
Telecommunication related crimes: phreaking and hacking
Computer manipulation crimes that result in embezzlement and fraud:
used of computer to manipulate financial statement
Traditional thefts of hardware and software
- UP to NOW: Slow implementation / adoption of Laws related to computer
crimes by governments.
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
5. SO, majors perpetrators of computer crimes includes:
• Hackers.
• Crackers.
• Malicious insider.
• Industrial spies.
• Cybercriminals.
• Hacktivist.
• Cyber terrorists.
Computer crimes today are so prevalent because:
- Complexity of systems drop in the mastering of the computer and network environment
- Poor implementation of security policies
- Rapid technological advancements
- Slow /delay in getting soft and hardware fixes (repairs)
- Better mastering of physical crimes push criminal to try other means
OVERVIEW OF A COMPUTER CRIME (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
6. • Computer crime includes cases in which the computer is the tool, the target, or is
incidental to the offense.
Practical case example
“In a recent case where a computer was used as a tool in the Crime, SEARCH assisted the Long
Beach (California) Police Department with the forensic examination of two seized
microcomputers. The computers were allegedly used by a gang involved in a payroll check
counterfeiting operation that resulted in the loss of millions of dollars to two major banking
institutions. The suspects used computer imaging technology and high-resolution scanners
and printers to replicate payroll checks”. (kelly, 1995)
• It means computers crimes contain information that helps law enforcement determine :
- chain of events leading to a crime,
- Evidence that can lead to a conviction.
Note: Digital evidence can easily be altered by a careless investigator. Be mindful
to respect procedures !
OVERVIEW OF A COMPUTER CRIME ( Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
7. Digital investigation Triad
• Investigators in charge of Forensics often work as a team Known
as the investigation Triad.
Source: Retrieved from https://doi.org/10.1016/j.diin.2015.07.004
8. Digital investigation Triad (Cont…)
Forensics Investigation need to be conducted with CIA principle in mind. The integrity of Data must be
preserve, making the discovery confidential much as possible and available accordingly to how it will be
presented and accepted in Court.
The digital Forensics Triad is made of Three Main Pillars:
VULNERABILITIES/Threat Assessment and Risk Management: consist of activity such as testing
and verifying the integrity of stand-along Workstations and network servers
Network Intrusion Detection and Incidence response: Detects intruders attacks with automated
tools and monitoring network firewall logs
Digital investigations: properly managed investigation and launching of forensics analysis of any
system suspected to contain potential evidence.
The CIA triad
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
9. Initiating Computer crimes investigation
What should be the behavior of Investigators towards evidences of
the crime scene ?
• Handling electronic evidence at the crime scene during investigation consist
of:
◆ Recognition and identification of the evidence.
◆ Documentation of the crime scene.
◆ Collection and preservation of the evidence.
◆ Packaging and transportation of the evidence.
Prior to these steps
• Necessary legal authority to search for and seize the
suspected evidence must be obtained
• The crime scene must be secured and documented (photographically and/or
by sketch or notes).
• Must use Crime scene protective equipment (gloves, etc.)
Note: Always remember to consult your local prosecutor before
accessing stored data on a device. Because of the fragile nature of
electronic evidence, examination should be done by appropriate
personnel.
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
10. What are the considerations when planning for an
investigation ?
A basic investigation plan therefore consist of:
Acquiring the evidence
Preparing an evidence form and establishment of a chain of custody
Transportation of the evidence to a computer forensics lab
Placing the evidence in a secure environment ( Container)
Preparing a forensics workstation
Obtaining the evidence from the secure milieu where it was placed
Making a forensic copy of the evidence
Returning the evidence in the secure milieu
Processing of the copied evidence with the use of computer forensics
tools
Initiating Computer crimes investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
11. Notes:
• Evidence custody form document will help in documenting what
has been done with the original evidence and his forensics copies
• The single evidence form will list each piece of evidence in a
separate page. The Multi-evidence form will be use otherwise
• The evidence bags should be used to catalogue the evidences.
• Preferably, products used should be safe (use anti-static bags, etc.)
• Use well padded containers
• All openings should be seal with a tape ( floppy disk, Power supply
cord, etc.)
• Write your initial on tape to prove that evidence has not been tampered
with
Initiating Computer crimes investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
12. Presentation of some important investigation forms
Initiating Computer crimes investigation(Cont…)
• Chain of evidence Form (Form that details all evidence collected with their specifications)
• Chain of custody form (form that details how the evidence was handled every step of the way)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
13. • Multi-evidence form
• Single -evidence form
Initiating Computer crimes investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
14. Investigating an Employee Termination case
• Most of investigations for termination cases involve employee abuse for
corporate assets.
• Also, issues such as harassment, visiting prohibited websites while at
work
• Harassment case: people have to leave their work resulting in
significant cost on both side ( employee and employer)
Consequence
- lost of productivity
- retraining need of new staff
- Wrongful termination lawsuits
- Impact on company culture, workplace morale, brand reputation
affected
So…
Need to conduct investigation on allegations and report to internal
stakeholders for appropriate action to be taken
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
15. Investigating Termination based on Internet abuse
• Need to:
Access organization’s internet proxy logs
Suspect computer’s IP addresses
Suspect computer’s disk drive
And make use of your most reliable computer forensics tools
Steps to take will therefore involve:
Making use of standard forensics analysis techniques and procedures
Using appropriate tools to extract all web page URL information (
example: Magnet.AI tool)
Contacting the network administrator and request a proxy server log
Comparing the data recovered from forensic analysis to the proxy
server log
And, proceed with the analysis of the computer disk drive data
Investigating an Employee Termination case (Cont…)
16. Investigating Termination based on E-mail abuse
Need to:
Acquire an electronic copy of the offending e-mail that contains message
header data
also, if possible, acquire email server logs records
- if the e-mail system store user’s messages on a central server, get access to
that server
Gain access to the computer for you to conduct forensics analysis on it
Then, remember to always go for the most reliable forensics analysis
tools
Steps to take will therefore involve:
use the standard forensics analysis techniques
Get an electronic copy of the suspect’s and victims e-mail folder or data
For web-based email investigations, you can use tools such as FTK’s Internet
Keyword Search option to extract all related e-mail address information
Examine header data of all messages of interest to the investigation
Investigating an Employee Termination case (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
17. Attorney-Client Privilege (ACP) Investigation
For investigation related to ACP, one important factor
You must maintain all findings confidential
Also:
many attorney like to have printouts of the data you have recovered. So, there is a need to persuade
and educate many attorneys on how digital evidence can be viewed electronically
Remember: you may face difficulties if you find data in the form of binary files
The steps involve in conducting ACP investigation are:
making a request of a memorandum from the attorney directing you to start the investigation
Requesting a list of keyword of interest to the investigation
Initiate the investigation and analysis
If there is a need to examine a disk, make two bit stream images using different tools
Compare hash signatures on all files on the original and re-created disks
Do a methodic examination of every portion of the disk drive and extract all data
Run Keyword searches on both allocated and unallocated disk space
Analyze and extract data from the registry using tools such as Registry Viewer 2.o ( Access data
registry viewer)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
18. Identify the correct software product for binary data files such as CAD
drawings
It is advisable to use a tool that removes or replaces non printable data
for unallocated data recovery ( SIFT tool-Linux)
Consolidate all recovered data from the evidence bit-stream image
into folders and subfolders
Besides:
- Much as required, minimize written communications with the
attorney!
Note: Any document to the attention of the attorney must contain a
header stating “ Privileged Legal Communication-Confidential
Work Product”. Always keep an open line of verbal communication.
- Encryption should be use if you need to communicate via e-mail
Attorney-Client Privilege (ACP) Investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
19. It is important to know that having a control on sensitive data can be difficult. So..
• Consider for this case to:
Examine e-mail
Examine Internet message boards
Examine proxy server logs
Examine known suspects’ workstations
Examine all company telephone records, looking for calls to the media
Steps to take for media leaks involve:
Conduct Interview management privately to get a list of employees who have direct
knowledge of the sensitive data
Identify media source that published the information
Review company phone records
Obtain a list of keywords related to the media leak
Perform keyword searches on proxy and e-mail servers
Conducting a Media Leak Investigation
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
20. Discreetly conduct forensic disk acquisitions and analysis
From the forensic disk examinations:
- Analyze all e- mail correspondence And trace any sensitive
messages to other people
- Expand the discreet forensic disk acquisition and analysis
- Consolidate and review your findings periodically
- Routinely report findings to management
Conducting a Media Leak Investigation (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
21. All suspected industrial espionage cases should be treated
as criminal investigations
A need to constitute a dedicated Staff made of:
Computing investigator: responsible for disk forensic
examinations
Technology specialist: knowledgeable of the suspected
compromised technical data
Network specialist: perform log analysis and set up network
sniffers
Threat assessment specialist (typically an attorney)
Conducting an Industrial espionage investigation
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
22. To conduct investigation on this type of case:
• Find out whether this investigation involves a possible industrial
espionage incident
• Ensure to consult with corporate attorneys and upper
management
• Determine what information is needed to substantiate the
allegation
• Generate a list of keywords for disk forensics and sniffer
monitoring
• List and collect resources for the investigation
Conducting an Industrial espionage investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
23. • Determine goal and scope of the investigation
• Initiate investigation after approval from
management Planning considerations
• Examine all e-mail of suspected employees
• Search Internet newsgroups or message boards
• Initiate physical surveillance
• Examine facility physical access logs for sensitive
areas
Conducting an Industrial espionage investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
24. After implementing the above guideline, you need to Plan for your
investigation
• Determine suspect location in relation to the vulnerable asset
• Study the suspect’s work habits
• Collect all incoming and outgoing phone logs Steps
• Gather all personnel assigned to the investigation and brief them on the plan
• Gather resources to conduct the investigation
• Place surveillance systems
• Discreetly gather any additional evidence
• Collect all log data from networks and e-mail servers
• Report regularly to management and corporate attorneys
• Review the investigation’s scope with management and corporate attorneys
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Conducting an Industrial espionage investigation(Cont…)
25. • Investigations interviews require experience.
• Why ?
• To easily obtain confession from a suspect is not an easy task !.
• Interviews are done to collect information from a witness or suspect about specific
facts related to an investigation.
• A digital forensic investigator will be interested in gathering information and
conducting interviews regarding computer crime, child pornography, fraud,
hacking, and other digital crimes.
• Before starting the interview process :
- Investigators must know potential facts of the case and background
information on the victim or perpetrator to be interviewed
- know victims’ or perpetrators’ personal information, prior-criminal
sentences, and professional status
- The purpose here is to develop a methodology to create a standardized interview
method and to try to build relationships and connections with interviewee.
Note: There is no standard interview method. It all depends of the type of
crime to investigate (fraud, hacking…)
Initiating Interviews in Digital Forensics investigations
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
26. • Therefore, Different interview techniques exist but interviews usually should try to answer
simple questions such as: who, when, where, what, how, and why.
• Remember: The initial interview is typically the best chance to collect basic
evidence. Also, Interviewers must be patient and persistent through the interview
process.
• While waiting to define which technique to use for the computer-related crime:
evaluate computer skills ability of the suspect to avoid being confused by perpetrators
or victims who could possibly have higher computer knowledge
computer knowledge of the perpetrators should be evaluated based on other evidence
gather as much as possible details regarding the hardware and software that
perpetrator was using.
Also gather details concerning the victim ( Especially if it involve a child)
besides, gather information such as: perpetrator’s user name, online profile, ISP,
email account information, time of connectivity online.
Chap 2- Computer Forensics
Investigations, By Cyrille Lottin-
2020
Initiating Interviews in Digital Forensics investigations (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
27. • The interview process can effectively start once information necessary for the
interview is gathered.
But, before you start, make ready:
- Privacy Act Statement
- List of official papers from interviewee
- Checklist with information gathered prior the interview
- List of questions
- Copies of all official papers planned to show to the perpetrator or victim
- the method used to record the interview
Be mindful that:
- Interview should be conducted in a peaceful and comfortable setting
- Use personal names to relax the tension and start building a good “rapport” with the interviewee. A
good relationship from start help in achieving GOOD RESULT
- Don’t use a heavy-handed approach that enforces your authority ( NO NEED !)
- For child case, ensure to prepare the child moral ahead of the interview
- Be a good listener and observer
- DO NOT COMPLETE interviewee sentences. If you don’t get it, reformulate until both are on the page
- Adopt an open ended approach prior to the YES/NO format
Interview Methodology
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
28. The following step should be taken to conduct investigations interviews:
1. Welcome the victim in a pleasant way
2. Be comfortable and friendly to calm the victim (in the case of a child victim, the interviewer must be
extremely cautious not to disturb the child)
3. Introduce yourself
4. Explain to the victim the reason for the visit
5. Clarify the significance and importance of the victim’s testimony to the case
6. Check the victim’s name, current address, phone numbers, and occupation
7. Ask the victim to tell the story as a narrative
8. Do not interrupt; listen, and take brief notes very cautiously on what the victim says
9. Observe the victim’s behavior and body movement
10. Try to be emphatic to motivate the victim
11. Ask additional questions relevant to the case when the victim finishes the narrative, starting with
general questions, and moving toward more specific questions
12. Ask specific questions, if child exploitation is involved, about the location of the crime, methods, and
any existing computers and other devices
13. Compare the victim’s statement with other statements, if they exist
14. Review contradictions, and, if the victim is a cooperative, present them to the victim
Interview Methodology (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
29. Interview Process for the case of a Child abuse for computer related crimes – Source: (Edita Bajramović, 2014)
Interview Methodology (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
30. Investigation Interview Recording
• Very important element of digital forensic investigations
• NEED to be accurate
• An interview record can create the foundation for investigative case management
conclusions.
• Interview record can be used as evidence in some jurisdictions
• To determine which recording technique to use, think about:
- Cost
- Logistics
- The possible effect on those interviewed
- Any lawful requirements affecting the interview’s acceptability
Interview recording techniques for computer related crimes – Source: (Edita Bajramović, 2014)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
31. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence)
• Electronic evidence can be found in many of the new types of
electronic devices available Today.
• There is a wide variety of the types of electronic devices commonly
encountered in crime scenes.
Remember: Many electronic devices contain memory that
requires continuous power to maintain the information (battery or AC
power). Data can be easily lost by unplugging the power source
or allowing the battery to discharge.
Note: After determining the mode of collection, collect and
store the power supply adaptor or cable, if present, with the
recovered device
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
32. Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Computer crime scene– Source: (CHFI, 2010)
33. Investigating Computer Systems
• Consists of a main base unit (CPU), data storage devices, a monitor, keyboard, and mouse.
• may be a standalone or it may be connected to a network (laptops, desktops, tower systems, modular rack-
mounted systems, microcomputers, minicomputers, supercomputers and mainframe computers).
• Additional components include modems, printers, scanners, docking stations, and external
data storage devices
Primary use: Computation and Information Storage
Potential Evidence: commonly found in files that are stored on hard
drives and storage devices and media.
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
34. Investigating Computer Systems
• Example: User-Created Files
Can contain important evidence of criminal activity such as:
- Address books and database files (may prove
criminal association)
- Existing or moving pictures (may be evidence of pedophile activity),
- Communications between criminals (e-mail or letters).
- Drug deal lists may often be found in spreadsheets.
Investigator should look at:
◆ Address books.
- ◆ E-mail files.
◆ Audio/video files. ◆ Image/graphics files.
◆ Calendars. ◆ Internet bookmarks/favorites.
◆ Database files. ◆ Spreadsheet files.
◆ Documents or text files.
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
35. Investigating Computer Systems
Example: User-Protected Files
• Users can hide evidence in a variety of forms
• They may encrypt or password-protect data that are important to them.
• They may also hide files on a hard disk or within other files or deliberately hide incriminating evidence files under
an innocuous name
Investigator should also focus on:
◆ Compressed files. ◆ Misnamed files.
◆ Encrypted files. ◆ Password-protected files.
◆ Hidden files. ◆ Steganography.
Remember that:
- Passwords, Internet activity, and temporary backup files are examples of data that can often be recovered and
examined
- Evidence can also be found in files and other data areas created as a routine function of the computer’s
operating system
- In most cases, the user is not aware that data are being written to these areas.
- There are components of files that may have evidentiary value including the date and time of creation, modification,
deletion, access, user name or identification, and file attributes .
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
36. Investigating Computer Systems
Example: Computer created files and other Data Areas
Evidence can also be found in files created by the computer himself and other areas
Investigators should check:
◆ Backup files. ◆ Log files.
◆ Configuration files. ◆ Printer spool files.
◆ Cookies. ◆ Swap files.
◆ Hidden files. ◆ System files.
◆ History files. ◆ Temporary files.
And
◆ Bad clusters.
◆ Computer date, time, and password.
◆ Deleted files.
◆ Free space.
◆ Hidden partitions.
◆ Lost clusters.
◆ Metadata.
◆ Other partitions.
◆ Reserved areas.
◆ Slack space.
◆ Software registration information.
◆ System areas.
◆ Unallocated space.
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
37. • Read Chapter 1 of the book:
Computer Hacking Forensics Investigators (CHFI),
Computer Forensics, Investigating Hard disks, File and
Operating System, Eccouncil, 2010. PDF format
• Evaluate other Computers systems components and Network
entities that can be submitted to the investigation process.
• Take note of Potential sources of evidence during investigation.
• Generate a table that describes each component with the possible
evidence that can be found.
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
38. • Gather resources identified in investigation plan Items
needed.
That is:
–>Original storage media
–>Evidence custody form
–>Evidence container for the storage media
–>Bit-stream imaging tool
–>Forensic workstation to copy and examine your evidence
–>Securable evidence locker, cabinet, or safe
Conducting the investigation Generally on an item
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
39. During Gathering of the Evidence, They are steps you may
take to avoid damaging the evidence:
• –>Meet the IT manager to interview him
• –>Fill out the evidence form, have the IT manager sign
• –>Place the evidence in a secure container
• –>Complete the evidence custody form
• –>Carry the evidence to the computer forensics lab
• –>Create forensics copies (if possible)
• –>Secure evidence by locking the container
• Process the copied evidence with computer forensics tools
Precaution to take during investigation to avoid
destroying evidence
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
40. One Important Task during investigation: the
copying process
One important rule of computer forensics investigation is to
Preserve the original evidence!
Remember: Conduct your analysis only on a copy of the
data!
DO Bit-Stream Copies
Performs a bit-by-bit copy of the original storage medium
Copy obtain is the exact copy of the original disk
Copy image file to a target disk that matches the original disk s manufacturer,
size and model Original disk with image Target disk
Different from a simple backup copy
Backup software only copy known files
and, Backup software cannot copy deleted files or e-mail messages, or
recover file fragments
Tools: ProDiscover Basic, FTK Imager, Linux dd command 5
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
41. At the end of your investigation, You need to produce a
final report.
Here, you must:
State what you did and what you found
Include report generated by your forensic tool to document your
work Repeatable findings
Repeat the steps and produce the same result, using different
tools
If required Use a report template
Report should show conclusive evidence : Did the suspect
commit the crime or not, or violate a company policy->
Your opinion
Finalizing the Investigation Case
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
42. • At the end of your investigation, you need to critique the Case.
Ask yourself the following questions:
How could you improve your performance in the case?
Did you expect the results you found?
Did the case develop in ways you did not expect?
Was the documentation as thorough as it could have been?
What feedback has been received from the requesting source?
Did you discover any new problems? If so, what are they?
Did you use new techniques during the case or during research?
Finalizing the Investigation Case
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
43. • Digital forensics investigation of a Computer is a unique process
that comes with so many challenges.
• The success of an investigation operation relies on how good we
understand what we are looking for and how efficient we are in
the process of looking for it.
• Action of conducting a computer investigation therefore require to follow
an acceptable procedure
• From the acquisition of evidence to the Processing of the copied evidence
with the use of computer forensics tools, Computer Forensics investigation
contribute in fighting the growth of digital crimes.
• Remember any digital device can be a source of evidence. Only perspicacity
in conducting the forensics investigation process can ensure good result.
• It therefore depend on how much you are equipped and the various
forensics tools used in your forensics laboratory.
CONCLUSION
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
44. GROUP WORK ASSIGNMENTs
PRESENTATION
In order to familiarize with various forensics Tools,
1. Download Forensics Toolkit (FTK) following this URL:
https://accessdata.com/product-download/forensic-toolkit-ftk-version-6-
0.
2. The downloaded file will be an .iso file. Use the appropriate software to
load it in your OS (Nero, ISO opener, PowerISO, etc..).
3. Constitute a group of 6 students and specify your group Leader
4. Install this tool in an updated laptop with acceptable specifications ( Dual
core, 2GB RAM, <10GB HDD free space, Windows 10/Linux)
5. Prepare a PowerPoint presentation of this application
6. Demonstrate 2 features expressing Forensics investigation
Duration: 1h30 mn
Note: This class session will be ONSITE. Date: to be discussed in class…
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
45. PRESENTATION
• Download the PDF file: Digital Evidence and the US Criminal
Justice System here:
https://www.rand.org/pubs/research_reports/RR890.html
• Form a group of 3 students
• Prepare a PowerPoint presentation of the Content of this file
• Emphasize on Case studies elaborated to make your point
• Do a class presentation of your findings and Conclusion
• Conclude your Presentation using a Practical Forensics Tool that
demonstrate how Evidence can be manage during forensics
investigation.
• Duration: 1h30mn
GROUP WORK ASSIGNMENTs
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
46. 1- Godwin Emmanuel, Oyedokun , UNDERSTANDING FORENSIC INVESTIGATION
PROCESS (UFIP) , lecture delivered at Fraud Examination and Forensic
Investigation Workshop , 2016.
Retrieved from https://slideplayer.com/slide/7914121/
2- Computer Hacking Forensics Investigators (CHFI), Computer Forensics,
Investigating Hard disks, File and Operating System, Eccouncil, 2010
3- Computer Hacking Forensics Investigators (CHFI), Computer Forensics,
Investigating Network and Cyber Crimes, Eccouncil, 2010
4- Cardinali, Richard. Anatomy of a bug: understanding the computer
virus. Computer education, no. 74, June 1993:
QA76.27.C65 and Pamphlet box <SciRR>
5- Hartson, H. Rex. Computer security. In McGraw-Hill encyclopedia of science and
technology. v. 4. 6th ed. New York, McGraw-Hill Book Co., c1987. p. 274-276.
REFERENCES
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
47. 6- Parker, Donn B. Crime. In Encyclopedia of computer science and technology. v.
New York, Marcel Dekker, Inc., c1977. p. 383-403.
7- John Ashcroft , U.S. Department of Justice, Electronic crimes scenes
investigation, A guide for first responder, 2001-retrieved from
http://www.ojp.usdoj.gov
8- John Ashcroft , U.S. Department of Justice, Electronic crimes scenes
investigation, A guide for first responder, 2001-retrieved from
http://www.ojp.usdoj.gov
9- Edita Bajramović, Interview Methodology in Digital Forensics Investigations,
American University in Bosnia, Stručni rad UDC 343.9. retrieve from Conducting
effective interviews. AICPA. n.d,
http://www.aicpa.org/interestareas/forensicandvaluation/resources/practaidsguid
ance/ downloadabledocuments/10834-378_interview%20whiite%20paper-final-
v1.pdf, http://media3.novi.economicsandlaw.org/2017/07/Vol11/Bajramovic-11-
IJEAL.pdf
REFERENCES
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020