Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our Computer Forensic Investigation Process module. The forensic investigation process involves several steps. The first step is determine whether or not there will be an investigation. Not all incidents require an investigation, especially if they were accidental or if they were caused by a natural disaster. Once you determine that there will be an investigation, you need to determine who will conduct the investigation.
It is important to select an individual who has the training and experience required to conduct this type of investigation. You then need to identify items of interest, different types of evidence that you will collect and then examine as part of your investigation. Depending on the investigation you are conducting, the items of interest could be anything from a laptop or desktop computer to a tablet, a cellphone, a USB flash drive, a CD, information stored on a network server, information stored on a cloud storage provider such as Dropbox or information on a social media profile.
Once you identify the items that you need to collect, it is important to collect them and preserve the chain of custody. The chain of custody means that you will maintain control of the evidence from the time you seize it until the time it is used in court and you must make sure that the evidence is not tampered with.
When you collect the evidence, it is important that you take control of the evidence legally. If you collect the evidence illegally, you will most likely not be able to use the evidence in court. Law enforcement officers will generally need a search warrant unless the evidence is turned over to them voluntarily.
In a corporate environment, you should make sure that you have an acceptable use policy that notifies employees that they are monitored on your system and that they don't have any expectation of privacy. This way, you can collect data when necessary to conduct an examination. You can spend a week or more just examining a single hard drive and usually, investigations involve many different types of evidence.
During the examination and analysis period, it is important that you document all of your findings and also document how you located that evidence in case your examination needs to be reconducted by a opposing attorney or by an additional expert at a later date. If this case goes to trial, you may need to testify in court as an expert witness.
An expert witness is an individual with the significant amount of training and experience more than the average person in a certain area, such as computer forensics, expert witnesses are allowed to provide their opinion in court as to how something occurred on a computer system. At the conclusion of the trial, a decision will occur. This will usually be either by a jury or a judge. If it's a criminal case, the decision will be whether or not the individual committed the crime beyond a reasonable doubt. And if it's civil case, the determination will be based on whether or not the defendant wrong to the plaintiff in some way causing damages to occur.
The Nation Institute for Standards and Technology or NIST provides us with a forensic timeline. The collection stage is the first portion of the forensic timeline where we gather any evidence and this includes interviewing witnesses. We must remember that with computer forensics, we cannot generally place a suspect behind the keyboard.
We would generally need additional evidence to do this such as a confession or perhaps, video surveillance evidence. So it's important to speak with the suspect to determine, if they will admit to the crime or to at least admit to owning the machine and that they are the only individual that uses the machine.
During the examination process, we do not exam the original evidence in order to protect that evidence from being damaged or otherwise, destroyed. We make forensic copies or bit for bit images of the original evidence, which maintains all of the binary data contained on the suspect device and then we examine the copies.
During the analysis phase, we determine what root cause the evidence leads us to believe occurred. Was there an accident or an individual deleted files? Or was an ex-employee maliciously stealing our data to use it in another company? Once we determine what occurred, we will then prepare a report and that report will be turned over to our client or our management staff and may later be presented in court and we may be required to testify as an expert witness.
If it was a network intrusion or some other type of negative event, we may also need to prepare an after action review or AAR, which is submitted to our management employees. Which will discuss the successes and the failures of our controls, and systems, and it will also provide recommendations on how we can improve our systems to avoid further incidents.
For the CISSP examination, you should remember that an after action report should always be conducted after an incident occurs in order to improve our processes. So, we do not have future incidents. After an incident occurs and we decide that we're going to conduct an investigate, we begin a forensic analysis process.
The forensic analysis process is where we gather and process evidence after the incident occurs. Before you take any action, you should photograph the area around the computer as well as the room where the computer is located and take pictures of what is on the screen, because this could be helpful later.
We should always follow the order of volatility when collecting evidence, meaning that we should collect the most volatile evidence first and then collect the least volatile evidence last. A computer that is running has critical data stored in its random access memory or RAM. When you turn off the computer, you will loose the contents of RAM.
It is very important that you collect the contents of memory before you turn of the computer and this is the first item to collect based on the order of volatility. Once you collect the contents of RAM, you can then proceed with collecting any evidence stored on hard drives, external devices, CDs and other media as well as hard copy evidence, which you should not forget to look for.
Just because we're conducting an electronic investigation does not mean that our suspects did not print out anything on pieces of paper, which may be located in the area of their office. Every piece of evidence needs to be labeled with a case number and an identifier such as an item number, so that you can identify individual devices.
For the chain of custody, you should record who collected the evidence and packaged it. How it was conducted and this should be maintained on a piece of paper known as a chain of custody form. The items should then be transported to a forensics team at a lab for further investigation and analysis.
It is very important to use proven methods when conducting computer forensics. You must make sure that the collection, preservation, validation, identification, analysis, interpretation, documentation and presentation of digital evidence is conducted within accepted procedures. Otherwise, the evidence may not be acceptable in court. The international organization of computer evidence and the scientific working group on digital evidence are two organizations that provide best practices and guidelines for computer forensics.
These practices include critical steps such as making sure that we apply all forensic principles to digital evidence. One of the most important principles is that we never modify evidence as a result of collecting evidence. If we modify the evidence, it will most likely not be able to be used in court.
All individuals who are accessing, collecting and analyzing digital evidence should be trained for that purpose. Documentation is critical and we must make sure that we are maintaining documentation about the seizure, the storage and the transfer of digital evidence and any individuals who may have had access to it.
Individuals in your organization who have contact with digital evidence are responsible for any actions that they take with that evidence while it is in their possession. And it is critical that you make sure that anyone who seizes evidence, accesses it, stores it or transfers it, they must be responsible and compliant with these principles.
This way, you'll be able to use the evidence in a court of law. It is also important to make sure that you are conducting reporting and documenting of your forensic process correctly. Your reports need to be complete, very detailed and they should be of evidential quality, because they most likely be submitted as evidence if the case goes to court. D7-03 - Forensics You should discuss the findings of your investigative steps in your report. Provide a copy of your standard operating procedures that are used in your lab. You should also make sure that you have checklists of best practices that your employees can follow and these check lists can also be submitted as part of the report.
You should make sure the the forensic tools that you are using are validated to work correctly and are up to date to the newest version. It is critical to be able to present evidence in layman's terms, so that individuals who are not computer experts, such as the judge and members of the jury are able to understand what it is you are trying to tell them when you're testifying.
It is important to include any artifacts in your report that support the fact that an incident occurred or review the fact that an incident occurred. Your report should be professionally prepared. Checked for spelling and any grammatical errors, and you should also provide time-stamped log files in order to support your findings.
Many forensic software programs do automate the report process, but you should make sure that these automated reports are accurate before you place your signature on them and submit them as evidence. This concludes our Computer Forensic Investigation Process module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!