Site Loader
Rock Street, San Francisco

Digital Investigation (DI) Process Model

1.     Preparation

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

To perform an effective digital
investigation, Brandon must first devise a plan of action. The plan of action
includes methodical approach towards dealing with the location of investigation
and expected evidential items, a strategic
protocol for processing and examining available evidence, and the preservation
steps for it.

We first need information resources to
create a plan. Brandon needs to start by assessing the scope of the case, putting
consideration for the computer OS and hardware devices to determine what resources
and tools are needed to process and
collect evidence. This information can be obtained through reviewing ACE
company inventory databases of computer hardware and software, and it’s configuration management database which
keeps a record of all updates made to the office workstations. Next, a detailed
description of the location and network topology will be comprehended first
before heading down to the scene. This can be done through enquires of
information from Mr Kenneth Koh and the study of the company floor plan.

With Intel
about the OS/Device present in the location of the investigation, Brandon needs
to make a prediction for the size of the storage device on the suspect computer
and roughly determine the number of digital devices to be processed at the scene. Also, prediction
of what hardware equipment might be involved needs to be
done to prepare the compatible tools needed. Predetermining where potentially
relevant evidence is being hidden will result in efficiency during the search.

To better prepare for dealing with unusual situations during the investigation,
Brandon should make possible predictions on what will or will not be
encountered at the search site. For example, seizing of computers and digital
devices and taking them back to the forensic lab for further processing will
not be feasible, as there is a concern about alerting the subjects of the
covert investigation. Brandon may also encounter a complicated situation where files evidence is stored offsite that
are accessed remotely such as on the cloud storage which cannot be located
physically. Pre-planning of remediation towards these situations needs to be

For a covert operation, Brandon would need
to prepare for some on-scene processing of digital evidence. He would need to
determine the necessary resources/expertise and tools required, that can
provide speed data acquisition for acquiring digital evidence.

Some essential equipment to prepare is evidence bags and tags for labelling and preservation of evidence. Chain of Custody form to support the
integrity of evidence. Digital camera for documentation of what is present on
the search site. Forensically prepared computers, hard drives and write
blockers for data acquisition of disk images. Lastly, a toolkit containing hand tools such as screwdriver, pliers and
flashlight for dismantling and restoration.

Brandon will also have to review all
available facts, plans and objectives with the investigation team assembled to
better prepares them. Additional technical expertise may be brought in to
assist the team to cover the weakness of the team.


2.     Survey

From the preparation process, Brandon can
utilise the plan of action devise earlier to survey the search site for sources
of digital evidence related to the case. Through surveying the scene, the team
must “Recognise” all potential sources of digital evidence, finding both
expected and unanticipated items. Among this
digital evidence, Brandon needs to
“Distinguish” by prioritizing what digital evidence to preserve based on the level of relevance, volatility, and magnitude
of effect and strength of the evidence. Rational speculation on each discovery and
absence of item will need to be developed too. Not just looking into obvious
sources of digital evidence, other less significant hardware devices and
personal information documentation such as ‘Dairy’ and ‘Handwritten notes’ may
sometimes provide crucial information that allows Brandon to find patterns and
make correlations in the investigation process and solve the case. Therefore, a
survey of hardware will be done along
with the survey of digital evidence at the search site.  

3.     Preservation

Different situations result in the different procedure for preservation of digital
evidence. With the nature of the case
taking up a covert operation, Brandon’s team will need to perform on-site data
acquisition. Depending on the state of the suspect’s computer/work devices, the
team would have to use professional judgement to acquire and preserve the
evidence in its current state while maintaining data integrity. If the computer
is off, leave it off and proceed with the
static acquisition. However, if it’s on,
Brandon would have to determine the best investigative method and perform the live acquisition. To preserve the disk data, Brandon
will make the suspect drive read-only
with a write-blocker device before acquiring data directly from a suspect
drive. After that, before creating a bitstream
image of the suspect drive with disk-imaging software and storing it into a
large hard drive. Two different hashing algorithms will be used to calculate the
hash value of the original evidence. Upon finishing the process of imaging,
Brandon will need to produce a digital
hash of the image file with the same hashing algorithm used previously and
verify the hash value with the original one. If the hash values are identical,
it shows that the integrity of the digital evidence didn’t change. The investigator
team should never work with the golden copy thus duplication copies of the
image evidence will be made for examination and analysis. Lastly, the golden
copy will be stored in an evidence locker that has an evidence custody form for

4.     Examination and Analysis

To facilitate the analysis stage,
Brandon’s team will first employ the 3 levels of forensic examination (Triage
Forensic Inspection, Preliminary and In-Depth Forensic Examination) to prepare
digital evidence. They will need to determine which items contain the most
useful evidence and require additional processing. From there, examination of
these identified items will be done to provide investigators with information
for analysis.

For an efficient and thorough digital
evidence examination, careful filtering and data reduction such as eliminating
irrelevant valid system files and focusing on files containing user-created
data within a restricted time frame will be done. In this case, since the
suspects are suspected of downloading
questionable pictures from the internet, Brandon may perform selective
extracting of certain file types such as JPEG, PNG and GIF.

When examining a piece of digital
evidence, Brandon will have to address questions of identification,
classification/individualization characteristics and evaluation of source as it
helps in the documentation of the evidence handling process that may be
required to be produced in court. Lastly,
the team may need to perform evidence recovery by
traversing the hex dump of data for the reconstitutes
of fragments into its near original state upon discovery of deleted file. Encrypted
data will require them to obtain the passphrase through the use of trial and
error method such as Brute force. The passphrase
may also be obtained through the search of surrounding for slips of paper or
cover monitoring.

Information obtained from the examination will aid the investigator team in
conducting interviews and developing leads during forensic analysis. Brandon
will have to perform functional analysis to review and study the identified
digital evidence and understand the
meaning of the readable data to gain insight into the suspect’s intent and
motives. Following that, the relational
analysis will be done to establish links between the suspect and the crime
scene, alongside with verifying the source of items to reaffirm the offender.
Lastly, to know the time and sequence of events, the temporal analysis will help Brandon identify patterns and gaps as he
reconstructs events relating to the incident through the creation of the timeline. As a result, Brandon will be able to
ascertain the claims.

5.     Presentation

Brandon will need to present his findings
outlined in a report. The report shall provide a transparent view of the
investigative process, containing important details from each step above in a
structure of Introduction, Evidence Summary, Examination Summary, File System
Examination, Analysis, Conclusions, Glossary of Terms and Appendix of
Supporting Exhibits. In the report, Brandon will have to explain each
conclusion through a thorough description of the supporting evidence and
analysis. He will need to convey his objectivity behind theories used and those
eliminated to provide a rationalised explanation on how he derives his
conclusion. Lastly, explanation of technical terms used in the report will be conveyed into the understandable narrative for the ease of discussion with ACE’s
director for further steps to be taken.

Tools for Analysis

For accuracy in terms of data integrity
and the credibility of evidence, Brandon will use more than one tools to
analyse the forensic image. As each forensic tool have its own weaknesses,
using two different tools helps act as a countercheck to cover the weaknesses
of the tool. This countercheck will ensure that the evidence acquired has the
same result as using the other tool and it verifies that the integrity of the
evidence matches one another. By doing so, we can enhance the credibility and
weight of the evidence.

Autopsy and Forensic Toolkit (FTK) will be
used for examination and analysis of the forensic image. Autopsy is easy
to use, a fast GUI-based program that
allows one to efficiently analyse disk images in either raw or E01 format,
local drives or a folder of local files. Autopsy offers robust file system analysis
for various common file systems, including NTFS, FAT12/16/32, Ext2/3/4 and
ISO9660 (CD-ROM).

FTK is an investigations solution known
for its intuitive interface, email analysis, customizable data views,
processing speed and stability. It can quickly locate evidence and forensically
collects and analyses any digital device transmitting or storing data. Like
Autopsy, it is capable of showing details about deleted data and file system
structures. (Refer to Table 1)

Law regarding misuse of Wireless Connections

The Computer Misuse and Cybersecurity Act Section
6 mention the use or misuse of wireless connection. Section 6 (1a) and (1c)
states that if any person secures access without authority to any computer or,
uses or causes to be used, for obtaining, directly, or indirectly, any computer
service shall be guilty. For this case, the suspect is seen to be involved with
the legality of piggybacking. Piggybacking falls into place when someone uses
an existing computer service to his or her advantage. The suspect was suspected
of abusing the company’s computer and
wireless connection for personal gains, therefore, violating this law.

If the suspect is to be judged guilty, he/she
is liable to a fine not exceeding $10,000 or to imprisonment for a term not
exceeding 3 years or to both and, in the case of a second subsequent
conviction, a fine not exceeding $20,000 or to imprisonment for a term not
exceeding 5 years or to both may be impose.

An example of piggybacking in Singapore is
Mr Lin Zhenghuang. On 4 January 2007, Mr Lin Zhenghuang was charged for using
his neighbour’s unsecured wireless network to post a bomb hoax online. Lin
pleaded guilty and was sentenced to three month’s jails and a $4,000 fine.

for tracking or discovering Internet Access

One of the tools to track or discover
Internet access using Internet Explorer is Magnet Forensics Internet Evidence
Finder (MAGNET IEF). IEF can search for over hundred types of digital forensic artefacts
found in allocated and unallocated space on computers by extracting data from
fragmented files that are not sequential or missing entirely. Using this, Brandon
can recover evidence from the Internet
and, Business Applications & OS artefacts from Windows and Mac computers. Internet
artefacts include ‘Browser Activity’,
‘Web Search and Search Toolbars’, ‘Media Files’, ‘Webmail’ and ‘Cloud Drives’. Business
Applications & OS artefacts include
‘Corporate Email’, ‘Documents’ and ‘Windows OS’. From here, Brandon can utilize
IEF Report Viewer for initial review and analysis of all the recovered digital
evidence related to the case. (Refer to Table 2 for

Digital evidence such as browser activity
from Internet Explorer, search engine activity from applications like Google
and Cloud Drives activity on applications like Dropbox will aid Brandon in the
discovery of the suspect Internet access usage on his/her computer.

Another tool that can be used is Forensic Toolkit. With its built-in
function like internet keyword search option, Brandon can extract all Web page
URLs and other associated information to the allegation made upon the disk
drive examination. With this information recovered from forensics analysis, Brandon
can match the URL data against the company network server log to determine if
there is an act of breaching the
company’s policy where inappropriate data was downloaded to the computer and
whether it was through the company’s intranet connection to the internet. 

Post Author: admin


I'm Dora!

Would you like to get a custom essay? How about receiving a customized one?

Check it out