A digital forensic investigation process can involve many steps and procedures. The objective is to obtain unbiased information in a verifiable manner using accepted forensic practices. In this project you will perform some of the steps necessary for setting up an investigation. These steps include designing interview questions that establish the needs of the case and focus your investigative efforts. You will also determine what resources may be needed to conduct the investigation. Once you have this information, you will be able to develop an investigation plan that properly sequences activities and processes allowing you to develop time estimates and contingency plans should you encounter challenges in the investigation.
This particular situation involves two computers and a thumb drive. After clear authorization to proceed has been obtained, one of the first investigative decision points is whether to process the items of evidence individually or together. Processing computers individually makes sense when they are not likely tied to the same case. However, if the computers are linked to the same case, there can be advantages in processing them together.
There are four steps in this project. In Step 1, you will develop interview protocols and identify documentation needs for a forensic investigation. In Step 2, you will identify resources needed for the investigation. In Step 3, you will develop a plan for conducting the investigation, and in Step 4, you will consolidate your efforts in the form of a single document to be submitted to your supervisor (i.e., your instructor). The final assignment in this project is a planning document with a title page, table of contents, and distinct section for each of the three steps in the project
Let’s get started! In Step 1 you use an interview template to record questions, keywords, and authorization information, and to complete the legal forms that will be needed in this case. Before you can do that, you need to review your training in criminal investigations.
Step 1: Complete Preliminary Work
In Step 1 you recall your training in criminal investigations, in which you covered the laws governing chain of custody, search warrants, subpoenas, jurisdiction, and the plain view doctrine. You also review forensic laws and regulations that relate to cybercrime, as well as rules of digital forensics in preparation for your digital forensic investigation. Next, you read the police report and perform a quick inventory of devices that are thought to contain evidence of the crime. You have set up a meeting with the lead detectives and the prosecutor handling the case.
You have received an official request for assistance which provides you with authority to conduct the investigation. You realize it will be impossible to produce a detailed investigation project plan prior to your meeting with the detectives and the prosecutor. First you need to develop a series of questions to establish the key people and activities. These questions should address potential criminal activity, timelines, and people who need to be investigated.
It is also important to determine whether different aspects of the case are being pursued by other investigators and to include those investigators on your contact list. In addition, some situations may involve organizations or individuals who need to adhere to various types of industry compliance. This situation may require you to follow special procedures.
Your tasks in Step 1 are to create an interview form to record questions, keywords, and authorization information, and to designate the legal forms that will be needed in this case. The forms that you complete as part of Step 1 will be included in your “Investigation Project Plan”– the final assignment for this project.
In Step 2 you will consider the types of resources needed for the investigation.
Step 2: Determine What Is Needed for the Investigation
In Step 1 you developed the forms and templates needed to collect the legal, criminal, and technical information that lays the groundwork for your investigation. In Step 2, you consider the types of resources needed to conduct the investigation. By making these preparations, you are establishing forensic readiness. Required resources can include people; tools and technologies such as RAID disks, deployment kits, or imaging programs; and budget and timeline information. Develop your checklist. It will be included in your final “Investigation Project Plan.” In Step 3 you will prepare a plan for managing a digital forensic investigation.
Step 3: Develop a Plan
In the prior step, you determined what resources would be necessary for your investigation. In Step 3 you develop a plan for managing the investigation. Reporting requirementsreflect the step-by-step rigidity of the criminal investigation process itself. Being able to articulate time, task, money, and personnel requirements is essential.
Project management is a skill set that is not often linked to digital forensics and criminal investigations. That is unfortunate because effective project management can have a dramatic impact on the success and accuracy of an investigation. Identifying the tasks that need to be performed, their sequence, and their duration are important considerations, especially in the face of “wild cards” such as delays in obtaining correct search warrants and subpoenas. It is also important to have a clear understanding of the goals for the investigation as you will likely be called upon to present conclusions and opinions of your findings.
Your project plan should include properly sequenced evidence acquisition and investigation processes, time estimates, and contingency plans. Your plan will serve many purposes including the assignment of a project budget. As you create your plan, be sure to include communications and reporting—who should be involved, how the activities should be carried out, how often, and under what circumstances (i.e., modality, frequency).
Once you have developed your project management plan, move on to Step 4 where you will submit your final assignment.
Step 4: Submit Completed Investigation Project Plan
For your final assignment, you will combine the results of the previous three steps into a single planning document—an “Investigation Project Plan”—with a title page, a table of contents, and a distinct section for each of the three steps. The Plan should include:
All sources of information must be appropriately referenced. Submit your completed “Investigation Project Plan” to your supervisor (your instructor) for evaluation upon completion.