Table of Contents

Introduction----------------------------------------------------------------------------3

Submit the word processed document detailing------------------------------3 & 4

Different techniques used to preserve the integrity of the evidence—-4 & 5

Explain the steps, process and techniques you will follow to make the file”hero.txt” ready for the
investigation. Improper handling of the evidence may change, modify or damage the attributes of
the evidence.---------------------------------------------------------------------------5, 6 & 7

Submit the contemporaneous notes which will record of ‘exactly’ what you did to handle the
“hero.txt” file. This should be included as appendix A. it is acceptable to provide contemporaneous
notes as scanned handwritten notes, a screenshot, or any other forensic note taking software that
you can acquire and use (providing you are adhering to any license agreements that maybe
required).-------------------------------------------------------------------------------- 8, 9 & 10

Reference--------------------------------------------------------------------------------- 10

Introduction

This assignment is about dealing with the evidences of the crime area/scene. I’ve tried to verify
in detail about the procedures and steps to deal with the evidences.

A. Submit the word processed document detailing;

i. Different techniques used to handle digital evidences.

Evidence Assessment:

A key component of the investigative process involves evaluating possible evidence in a

cybercrime. A clear understanding of the details of the case at hand and, therefore, the classification
of the cybercrime in question is central to effective processing of evidence. The investigator must
define the types of evidence sought before conducting an investigation (including specific platforms).
The investigator must then determine the source and integrity of those data before proving it.
Evidence Acquisition:

Perhaps the most critical facet of successful forensic computer investigation is a rigorous,
detailed proof-acquisition plan. Extensive documentation is required before, during and after the
acquisition process; detailed information, including all hardware and software specifications, any
systems used in the investigation process and the systems being investigated, must be recorded and
preserved. Evidence must be obtained in a way that is both deliberate and legal. In pursuing a court
case, being able to document and authenticate the chain of evidence is crucial and this is particularly
true for computer forensics given the complexity of most cybersecurity cases.

Evidence Examination:

To investigate potential evidence effectively, procedures must be in place for the retrieval,
copying, and storage of evidence within appropriate databases. Researchers typically examine data
from designated archives, using a variety of information analysis methods and approaches. These
could include the use of analysis software to search massive data archives for specific keywords or
file types, as well as procedures for the recovery of recently deleted files. It is also useful to analyze
file names, as it can help determine when and where specific data has been created, downloaded, or
uploaded and can help researchers connect files on storage devices to online data transfers (such as
cloud-based storage, email, or other Internet communications). This can also work in reverse order,
as the names of files usually indicate the directory they are housing.

Documentation and Reporting:

In addition to fully documenting hardware and software-related information, computer forensic

investigators must keep an accurate record of all investigation-related activity, including all methods
used to test system functionality and to retrieve, copy, and store data, as well as all actions taken to
acquire, examine, and assess evidence. This not only shows how the integrity of user data has been
preserved but also ensures that all parties have adhered to proper policies and procedures.

All actions related to a particular case should be accounted for in a digital format for computer
forensic investigators, and saved in properly designated archives. This helps to ensure the
authenticity of any findings by enabling these experts in cybersecurity to show exactly when, where,
and how evidence has been recovered. Cybersecurity experts in this critical role are now more than
ever helping government and law enforcement agencies, corporations, and private entities improve
their ability to investigate various types of online criminal activity and face a growing range of front-
end cyber threats. IT professionals conducting computer forensic investigations are tasked with
identifying specific cybersecurity needs and effectively allocating resources to address cyber threats,
and pursuing those perpetrators.

ii. Different techniques used to preserve the integrity of digital evidence.

Firstly, investigation is initiated.
The hardware , software, as well as other tools required to carry out computer forensics are
rather costly. Companies have to choose to develop their own forensics team and contract
 any forensics task. The most effective strategies for guaranteeing legal admissibility while
getting ready to engage a forensic analyst usually involve:
1. Drive Imaging
2. Hash Values
3. Chain of custody

1. Drive Imaging:
Until prosecutors will start evaluating information from a source, they must first
photograph it. Observing a drive is a forensic method that produces a bit-for - bit replica of a
drive from an investigator. This forensic picture in all modern media allows to preserve
investigating facts. In general, police can work solely on the mirror picture and never
conduct forensic research on the original images. Indeed, if a device has been hacked, it is
vital to do as little as possible – and preferably nothing – to the machine itself other than
isolate it to avoid contacts within or out of the device and catch live memory (RAM)
information, if appropriate.

2. Hash Values:
The method produces cryptographic-values (MD5, SHA-1) while an investigator
photographs a computer for study. A hash value has the function of checking the image's
accuracy and credibility as an exact replica of the original images. Hash values are crucial ,
particularly when submitting evidence to court, as changing even the slightest bit of data
would produce a whole new hash value. So if you make a new file on your computer, or
modify an existing file, it creates a new hash value for such a file.

3. Chain of custody:

As investigators gather and move media from their clients as appropriate, they can log
all media transactions and documentation on Chain of Custody (CoC) forms and capture signatures
and dates through media handover. Remembering the chain of custody documents is important.
This artifact shows that the image has already been in defined possession since the time of creation
of the image.

iii. Explain the steps, process and techniques you will follow to make the file”hero.txt” ready
for the investigation. Improper handling of the evidence may change, modify or damage
the attributes of the evidence.

Step 1: “hero.txt” was found in the crime scene.

Step 2: Network connectivity was turned off to remove the threats from external attacks to
protect the file.

Step 3: Hash value is calculated to preserve the integrity of the file.

Step 4: Chain of Custody was created inorder to know who has handled the case and when.

Received by: Ozil Time: 1:00 PM

Sent by: Bastian Date: 2020/04/13

Received by: Muller Time: 2:00 PM

Sent by: Gotze Date: 2020/04/14
B. Submit the contemporaneous notes which will record of ‘exactly’ what you did to
handle the “hero.txt” file. This should be included as appendix A. it is acceptable to
provide contemporaneous notes as scanned handwritten notes, a screenshot, or
any other forensic note taking software that you can acquire and use (providing
you are adhering to any license agreements that maybe required).

Contemporaneous note
Reference:

online.norwich.edu/academic-programs

ci.security/resources/news/article

unodc.org/ej/en/cybercrime/module-6