Investigation Conducting interview questions is crucial which

        InvestigationProject PlanVeenaPatelUniversity of Maryland UniversityCollegeProfessor Michael Johnson            Tableof ContentsAbstract……………………………………………………………………………………………3Introduction……………………………………………………………………………………….

.4ConductingInterview Questions………………………………………………………………..4-6Policereport……………………………………………………………………………………..7-8Chainof Custody………………………………………………………………………………8-10 SearchWarrants and Affidavit…………………………………………..………………….

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

..10-11Subpoena……………………………………………………………………………………..11-13KeyActivities……………………………………………………………………………………13ResourceList…………………………………………………………………………………….

13ForensicReadiness……………………………………………………………………………13-14People…………………………………………………………………………………………….14Tools,toolkits, imagining programs………………………………………………………….14-15Timeline………………………………………………………………………………………….

16Budget……………………………………………………………………………………………17EvidenceAcquisition………………………………………………………………………..17-20InvestigationManagement Plan………………………………………………………………….21ContactList………………………………………………………………………………………21Keywords……………………………………………………………………………………….

..22Events…………………………………………………………………………………………….22InvestigationTimeline and Cost……….…………………………………………………………23AbstractComputer forensics is a fast-growingfield that involves carefully collecting, identifying and analyzing evidencethat not only measures the damage to a computer as a result of an electronic attack but also recover lost information fromsuch a system to prosecute a criminal.

With computers getting more powerful,the field of computer forensics must always progress. In the early days ofcomputers, it was possible for a single detective to sort through files becausestorage capacity was so low.  Today, thatwould be an overwhelming task with hard drives capable of holding gigabytes andeven terabytes of data. Therefore, it is vital to incorporate an investigationplan which will include legal documentation, preservation, collection,examination, analysis, and report of the evidence found.                      IntroductionThisinvestigation plan covers how to properly conduct a computer forensics investigation.Before an investigation can begin legal documents should be acquired andobtained thereafter conducting interview questions would be the next recommendedstep.

Conducting interview questions is crucial which helps determine what isneeded in the case and if there is enough information to person theinvestigation. The questions should ask: who, what when, where, why and how’s of the investigation. Conducting InterviewQuestions            Conducting interview questions askingwho, what when, where, why and how will set the foundation for theinvestigation, it will also determine if enough information was collected to proceedto the next step for the investigation.

Below are the questions that were askedduring the meeting.    Investigation Questions Answers Date Time Case Number Name, Title, Role in the investigation What organization started the investigation?           Who is involved in the investigation?           Who is the lead, investigator?           Who will be assisting with the digital forensics investigation?           What was the crime committed?                   When did the crime occur?           Please give a detailed summary of the incident           How many people are involved in the crime?           Name of people that are connected to the crime?           Are any involved under the age of 18?             Have suspects been located or still wanted?           Are the charges being filed with a county or federal court?           Does the District Attorney have guidelines on filing the case in court?           Are there any legal restrictions?           Where is the crime scene location? Are there other locations of the crime scene?           Is there a related crime and investigation?             What evidence was retrieved?             Was a search warrant present?           What does the search warrant include? To collect what specifically?           What physical evidence was collected?           What type of evidence is being looked at? (Pictures, Videos or etc.)           Have all legal documents and procedures been submitted?            Police Report            Police reports state the findings ofincidents. Below is the document that will need to be kept on record. Thepolice report is an example that can be used to document evidence as soon as acrime has been discovered. (“Sample Police Report”).

For example:              Figure 1, Example ofPolice Report             Chain of Custody             A chain of custody keeps a record of sequential documentation showing the seizure, custody, analysis , control,transfer, , and disposition of evidence, physical or electronic. Because thisevidence could be used in court to convict persons of crimes, it must be handled in a careful manner toavoid later allegations of tampering or misconduct.  Atypical chain of custody document may include: Date and time of collection Location of collection Name of investigator(s) Name or owner of the media or computer Reason for collection Matter name or case number Type of media Serial number of media if available Make and model of hard drive or other media Storage capacity of device or hard drive Method of capture (tools used) Physical description of computer and whether it was on or off Name of the image file or resulting files that were collected Hash value(s) of source hard drive or files Hash value(s) of resulting image files for verification Any comments or issues encountered Signature(s) of persons giving and taking possession of evidence (“How to Document Your Chain of Custody and Why It’s Important.

 “).    Figure2, Example of Chain of Custody Search Warrants andAffidavit            An affidavit and application for awarrant to search a computer are in most respects the same as any other searchwarrant affidavit and application: the affiant swears to facts that establishthat there is probable cause to believe that evidence of crime (such asrecords), contraband, fruits of crime, or instrumentalities of crime is presentin a private space (such as a computer’s hard drive, or other media, which inturn may be in another private space, such as a home or office), and thewarrant describes with particularity the things (records and other data, orperhaps the computer itself) to be searched and seized. The process of draftingan affidavit and application, then, falls into two general steps: establishingprobable cause to search the computer, and describing with particularity thedata to be taken from the computer or the computer hardware itself (Pollitt,M., Noblett, M., Strang, R.

, Kerr, O., & Presley, L., 2002).     Figure3, Example of United States DistrictCourt Search and Seizure Warrant Subpoenas            A subpoena to the ISP (InternetService Provider could be drafted to get records of the activity on the allegedinternet activity. Below is an example of a subpoena.   Key activities·      Collection – search and seizing of digital evidence, andacquisition of data·      Examination – applying techniques to identify and extract data·      Analysis – using data and resources to prove a case·      Reporting – presenting the info gathered (e.g.

, written casereport)ResourceListForensic Readiness            Forensics readiness means that allincident response procedure is ready to go, with the designated trained personnel to handle the investigation. Itincludes the collection and preservation of the digital evidence in a quick well-organizedmanner with minimal investigation costs. The readiness contains people, tools,and technology.     People            The amount of people involved in thedigital forensic investigation, and what needs to be examined is going todepend on the number of people are involved. A small investigation couldprobably be conducted by to investigators. If there is only one computer and a thumb drive to be investigated it wouldonly need one or two investigators to work on the case. People included in the investigation would includedistrict attorneys, investigators, agency, managers, police officers and othersthat are involved in the case. Tools, toolkits, imagingprogramsComprehensive forensic software tools (suchas Encase Forensic Edition, X-Ways Forensic Addition, Paraben, Forensic Toolkit(FTK), Linux DD, etc.

) will be used forthe investigation to provide collection,indexing, and detailed analysis.The forensic investigation consists ofgathering computer forensic information; the process can begin by analyzingnetwork traffic with a packet analyzer or a sniffer tool like Wireshark that is capable of interceptingtraffic and logging it for further analysis. NetworkMiner, another NetworkForensic Analysis Tool (NFAT), is an alternative to Wireshark to extract orrecover all files. Snort, instead, is a valuable tool in tracking down networkintruders in real time.NFAT software also contains forensiccapabilities by performing analysis on stored network traffic, as its namesuggests. As for Incident Response and Identification, A Forensic Toolkit, orFTK, can be used to identify deleted files and recovering them; whereas, EnCaseis apt for forensic, cyber-security and e-discovery use (“Computer CrimeInvestigation Using Forensic Tools and Technology.”).

The following are the computer forensic toolsused for data collection: Guidance Software’s EnCase (www.guidancesoftware.com);EnCase is a forensic data and analysis program for various operating systemsthat are used to perform a computer-related investigation. EncCase canquickly find files that have been misplaced or deleted. It also allows aninvestigator to understand and define the information present in a system. AccessData’s Forensic Toolkit(www.

accessdata.com); AccessData’s Forensic Toolkit, referred to by forensicanalysts simply as FTK, contains the full suite of password recovery tools,drive and media wipers, a registry viewer, and other useful products. Thepassword recovery tools also unlock locked files. Most people often use repeatpasswords, which helps hackers gain access to systems. The software alsoenables access to password management, which manages and analyzes multiplefiles. Forensic Toolkit also enables the recovery of multilingual passwords,thus enabling the investigator to bypass security against the unauthorizedaccess of these files.

In addition to the toolkit and imagingprograms some of the other tools that areneeded are as follows: screw drivers, sockets, hex keys, grounding decides,suctions cups, a flash light, take, zip ties, string, scissors, pliers, wirecutters, razor blades, labels, a camera, blanket, Faraday bag, storagebags/cases, magnifying glass, extension cord, various cables and connectors,pencil, paper/log book, permanent marker, air sickness bags, latex gloves, anda black light (Gogolin, G,  2013).      Timeline After the evidence step the investigationand analysis of the case with begin in the forensics lab. First, a timeline analysis will be created.

This is a crucial step and very useful because it includes information such aswhen files were modified, accessed, changed and created in a human-readable format, known as MAC timeevidence. The data is gathered using a variety of tools and is extracted fromthe metadata layer of the file system (inode on Linux or MFT records onWindows) and then examined and sorted in order to be analyzed. Timelines ofmemory artifacts can also be very useful in reconstructing what happened.

The end goal is to generate asnapshot of the activity done in the system including its date, the artifactinvolved, action and source. The creation is an easy process, but theinterpretation is hard. During the interpretation,it helps to be meticulous and patience and it facilitates if you havecomprehensive file systems and operating system artifacts knowledge. Toaccomplish this step several commercial or open source tools exist such as the SIFT Workstation that isfreely available and frequently updated.Budget            The budget will depend on several ofaspects that will be included in the investigation plan below with details.  Evidence Acquisition              The acquisition process includes making copiesof the digital evidence. It is a best practicethat an investigator works on a copy of electronic evidence so that accessingor reading the files will not accidentallymodify or damage the original evidence.

Write blockers are a device that allowscopying by creating a possibility of accidentallydamaging drive contents. The following below will give a guideline for theprocedure:·        Secure digital evidence  ·        Document hardware and software configuration of the examiner’ssystem.·        Verify operation of the examiner’s computer system to includehardware and software.·        Disassemble the case of the computer to be examined to permitphysical access to the storage devices.·        Ensure equipment is protected from static electricity andmagnetic fields.

·        Identify storage devices that need to be acquired. These devicescan be internal, external, or both.·        Document internal storage devices and hardware configuration. ·        Drive condition (e.g., make, model, geometry, size, jumpersettings, location, drive interface). ·        -Internal components (e.

g., sound card; video card; networkcard, including media access control (MAC) address; personal computer memorycard international association (PCMCIA) cards).·        Disconnect storage devices (using the power connector or datacable from the back of the drive or from the motherboard) to prevent thedestruction, damage, or alteration of data.

·        Retrieve configuration information from the suspect’s systemthrough controlled boots. ·        Perform a controlled boot to capture CMOS/BIOS information andtest functionality.·        Boot sequence (this may mean changing the BIOS to ensure thesystem boots from the floppy or CD-ROM drive). •Time and date. •Power on passwords.

·        Perform a second controlled boot to test the computer’sfunctionality and the forensic boot disk.·        Ensure the power and data cables are properly connected to thefloppy or CDROM drive, and ensure the power and data cables to the storagedevices are still disconnected. ·        Place the forensic boot disk into the floppy or CD-ROM drive.Boot the computer and ensure the computer will boot from the forensic bootdisk.·        Reconnect the storage devices and perform a third controlledboot to capture the drive configuration information from the CMOS/BIOS.·        Ensure there is a forensic boot disk in the floppy or CD-ROMdrive to prevent the computer from accidentally booting from the storagedevices. ·        Drive configuration information includes logical blockaddressing (LBA); large disk; cylinders, heads, and sectors (CHS); orauto-detect.

·        Power system down.·        Whenever possible, remove the subject storage device and performthe acquisition using the examiner’s system. When attaching the subject deviceto the examiner’s system, configure the storage device so that it will berecognized.·        Exceptional circumstances, including the following, may resultin a decision not to remove the storage devices from the subject system: Ø RAID (redundant array of inexpensive disks). Removing the disksand acquiring them individually may not yield usable results.

 Ø Laptop systems. The system drive may be difficult to access ormay be unusable when detached from the original system. Ø Hardware dependency (legacy equipment). Older drives may not be readable in newersystems. Ø Equipment availability. The examiner does not have access tonecessary equipment.

Ø Network storage. It may be necessary to use the networkequipment to acquire the data.·        When using the subject computer to acquire digital evidence,reattach the subject storage device and attach the examiner’s evidence storagedevice (e.g.

, hard drive, tape drive, CD-RW, MO).·        Ensure that the examiner’s storage device is forensically cleanwhen acquiring the evidence.Write protectionshould be initiated, if available, to preserve and protect original evidence.·        If hardware write protection is used: Ø Install a write protection device. Ø Boot system with the examiner’s-controlled operating system.·        If software writeprotection is used: Ø Boot system with the examiner-controlled operating system.

 Ø Activate write protection.·        Investigate the geometry of any storage devices to ensure thatall space is accounted for, including host-protected data areas (e.g., nonhostspecific data such as the partition table matches the physical geometry of thedrive).·        Capture the electronic serial number of the drive and otheruser-accessible, host-specific data.·        Acquire the subject evidence to the examiner’s storage deviceusing the appropriate software and hardware tools, such as: Ø Stand-alone duplication software.

 Ø Forensic analysis software suite. Ø Dedicated hardware devices.            Investigation ManagementPlan Case No: 2018-124567 Date: January 11, 2018 Reporting Officer Prepared By: Sheriff McClain Incident Child Pornography Description of Incident On Tuesday, January 9, 2018, I was dispatched to 12345 Butter Cream Drive regarding a cyber-related call, when I arrived Jamie Butler was trying to destroy computer components on his neighbor’s property. There were reports from an anonymous caller stating Jamie Butler was involved in downloading mass data illegally and possible child pornography. Mr. Butler was arrested due to trespassing onto his neighbor’s property which led to confiscating his computer equipment for evidence of accused crimes  Contact List Name Role Email Contact Numbers V. Patel Lead Investigator [email protected]

com 512-665-7856 J. McDuffy Investigator [email protected] 512-856-4258 Johnson Detective [email protected] 512-745-1235 Fuentes Detective [email protected] 512-789-5649 Gordon James Esq.

Prosecuter [email protected] 512-521-5642 McCain Sherriff [email protected] 512-523-0203 Thomas Public Defender [email protected] 512-742-1596  Project: A computer, hard drive and thumb drive that was seized need tobe evaluated to collect, examine, analyze, and then report with findings on thedevices.

Offense: Child Pornography Agent: Veena Patel, Digital Forensics Investigator Items Examined: One computer, hard drive, and thumb drive Location of Examination: Computer Forensics Laboratory  El Paso, TexasKEYWORDS Young girls Naked teens Naked child Child pornography  Events Event Description Date and Time Warrant Items seized 1/9/18 Hard Drive and Thumb Drive Copied Copy saved 1/12/18   Hard Drive Disk Image Disk Analyzed 1/18/18 Recovered files Evidence retrieved 1/20/18 Meeting Discuss evidence retrieved, completed investigation 1/24/18 Investigation Timeline     Investigation Cost   ReferencesComputer CrimeInvestigation Using Forensic Tools and Technology. (2016, January 25).Retrieved January 12, 2018, fromhttp://resources.infosecinstitute.com/computer-crime-investigation-using-forensic-tools-and-technology/#grefGogolin, G.(2013). Digital forensics explained. Boca Raton, FL: CRC Press.

How to Document YourChain of Custody and Why It’s Important. (n.d.). Retrieved January 12, 2018,fromhttp://d4discovery.

com/discover-more/how-to-document-your-chain-of-custody-and-why-its-important#sthash.VScaOnRO.dpbsPollitt, M., Noblett,M., Strang, R., Kerr, O., & Presley, L. (2002).

Searching and SeizingComputers and Obtaining Electronic Evidence. Cyber Forensics.doi:10.1201/9781420000115.ch8Sample Police Report.(n.

d.). Retrieved January 12, 2018, from https://www.wikihow.com/Sample/Police-Report   

x

Hi!
I'm Mary!

Would you like to get a custom essay? How about receiving a customized one?

Check it out