VIDEO
HIGHLIGHT
Log InSign up
Computer Forensic Investigation Process (CISSP Free by Skillset.com)
SummaryTranscriptChat

Computer Forensic Investigation Process (CISSP Free by Skillset.com)

Computer Forensic Investigation Process

Overview of the Forensic Investigation Process

  • The forensic investigation process begins with determining if an investigation is necessary, especially for incidents that are accidental or due to natural disasters.
  • Selecting a qualified individual with the appropriate training and experience is crucial for conducting the investigation.

Identifying Evidence

  • Items of interest can include various devices such as laptops, desktops, tablets, cell phones, USB drives, and data stored on network servers or cloud services like Dropbox.
  • Preserving the chain of custody is essential; it ensures control over evidence from collection to court presentation. This includes preventing tampering and ensuring legal collection methods are followed.

Legal Considerations in Evidence Collection

  • Law enforcement typically requires a search warrant unless evidence is voluntarily provided; corporate environments should have acceptable use policies informing employees about monitoring practices.
  • Documentation during examination and analysis is vital for potential future scrutiny by opposing attorneys or experts. This includes detailing findings and how evidence was located.

Role of Expert Witnesses

  • An expert witness possesses specialized knowledge beyond that of an average person in computer forensics and may need to testify in court regarding their findings.
  • The outcome of trials can vary based on whether they are criminal (beyond a reasonable doubt) or civil cases (determining wrongdoing).

Forensic Timeline and Analysis Process

  • The National Institute for Standards and Technology (NIST) outlines a forensic timeline starting with evidence collection, which also involves interviewing witnesses. It’s important to gather additional corroborating evidence when possible.
  • Original evidence should not be examined directly; instead, forensic copies (bit-for-bit images) are created to protect original data integrity during analysis phases.

Reporting Findings

  • After determining the root cause of incidents—whether accidental deletions or malicious actions—a report must be prepared for clients or management staff that may also be presented in court later on.
  • An after-action review should follow any incident to evaluate successes and failures in controls/systems while providing recommendations for improvement to prevent future occurrences.

Conducting Forensic Analysis

  • Before initiating forensic analysis post-investigation decision, photographing the scene around computers helps document conditions at the time of discovery which could aid later investigations.
  • Following the order of volatility principle ensures that more volatile data (like RAM contents) is collected first before less volatile data from hard drives or external media is gathered last to maintain evidential integrity.

Computer Forensics Investigation Process

Importance of Evidence Collection

  • Evidence collection in electronic investigations must not overlook physical documents that may be printed and located in the suspect's office. Each piece of evidence should be labeled with a case number and an identifier for easy tracking.
  • The change of custody for collected evidence must be documented, including who collected it and how it was packaged. This information is recorded on a chain of custody form before transporting items to a forensic lab for further analysis.

Adhering to Accepted Procedures

  • It is crucial that the collection, preservation, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence follow accepted procedures; otherwise, the evidence may be deemed inadmissible in court.
  • Organizations like the International Organization of Computer Evidence and the Scientific Working Group on Digital Evidence provide best practices for computer forensics. Key principles include never modifying evidence during collection.

Responsibility and Documentation

  • All individuals involved in accessing or handling digital evidence must be trained and responsible for their actions regarding that evidence. Proper documentation about seizure, storage, transfer, and access is essential.
  • Ensuring compliance with established principles allows the collected evidence to be used effectively in legal proceedings.

Reporting Standards

  • Reports generated from forensic investigations need to be detailed and evidentially sound as they may serve as court submissions. They should discuss investigative findings comprehensively.
  • Including standard operating procedures used in labs along with checklists of best practices can enhance report quality. Forensic tools employed must also be validated to ensure accuracy.

Clarity in Presentation

  • When testifying or presenting findings in court, it's important to explain technical details in layman's terms so that non-experts can understand them clearly.
  • Reports should include supporting artifacts related to incidents under investigation while being free from spelling or grammatical errors. Timestamped log files are vital for substantiating findings.

This concludes our overview of the computer forensic investigation process module. Thank you for watching!

Video description

This Forensics training video is part of the CISSP FREE training course from Skillset.com (https://www.skillset.com/certifications/cissp). Skillset helps you pass your certification exam. Faster. Guaranteed. https://www.skillset.com Topic: Forensic Investigation Process Skill: Computer Forensics Fundamentals Skillset: Security Operations Certification: CISSP Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam. + Unlimited access to thousands of practice questions + Exam readiness score + Smart reinforcement + Focused training ensures 100% exam readiness + Personalized learning plan + Align exam engine to your current baseline knowledge + Eliminate wasted study time + Exam pass guarantee And much more - https://www.skillset.com