Module 02

Computer Forensics Investigation Process

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Module Objectives

Understanding the Forensic Investigation

1 Process and its Importance

2 Understanding the Pre-investigation Phase

3 Understanding the Investigation Phase

4 Understanding the Post-investigation Phase

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Module Flow

Forensic Investigation Forensic Investigation

Process - Pre-investigation 02 03 Process - Investigation
Phase Phase

Understand the Forensic Forensic Investigation

Investigation Process and 01 04 Process - Post-investigation
its Importance Phase

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Forensic Investigation
Process

A methodological approach to investigate, seize, and analyze

digital evidence and then manage the case from the time of
search and seizure to reporting the investigation result

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Importance of the Forensic
Investigation Process

As digital evidence is fragile in nature, following strict

guidelines and thorough forensic investigation process
that ensures the integrity of evidence is critical to
prove a case in the court of law

The forensics investigation process to be

followed should comply with local laws and
established precedents. Any breach/deviation
may jeopardize the complete investigation.

The investigators must follow a repeatable and well-

documented set of steps such that every iteration of
analysis provides the same findings; else, the findings
of the investigation can be invalidated during the cross
examination in a court of law
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Phases Involved in the Forensics Investigation Process

Pre-investigation Investigation Post-investigation

Phase Phase Phase

❑ Deals with tasks to be ❑ The main phase of the ❑ Includes documentation of all
performed prior to the computer forensics actions undertaken and all
commencement of the actual investigation process findings uncovered during the
investigation investigation
❑ Involves setting up a computer ❑ Involves acquisition,
forensics lab, building a preservation, and analysis of ❑ Ensures that the report is easily
forensics workstation, evidentiary data to identify the explicable to the target
developing an investigation source of the crime and the audience and that it provides
toolkit, setting up an culprit behind it adequate and acceptable
investigation team, getting evidence
approval from the relevant
authority, etc.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Module Flow

Forensic Investigation Forensic Investigation

Process - Pre-investigation 02 03 Process - Investigation
Phase Phase

Understand the Forensic Forensic Investigation

Investigation Process and 01 04 Process - Post-investigation
its Importance Phase

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Setting Up a Computer Forensics Lab
A Computer Forensics Lab (CFL) is a location that houses instruments, software and hardware tools, and forensic
workstations required for conducting a computer-based investigation with regard to the collected evidence

1 2 3
Planning & budgeting Physical & Structural design Work area considerations
considerations considerations
✓ Number of expected cases ✓ Lab size ✓ Workstation requirement
✓ Type of investigation ✓ Access to essential services ✓ Ambience
✓ Manpower ✓ Space estimation for work area and ✓ Internet, network and communication line
✓ Equipment and software requirement evidence storage ✓ Lighting systems and emergency power
✓ Heating, ventilation, and air-conditioning

4 5 6
Physical security considerations Human resource considerations Forensic lab licensing
✓ Electronic sign-in ✓ Number of required personnel ✓ ASCLD/LAB accreditation
✓ Intrusion alarm systems ✓ Training and certification ✓ ISO/IEC 17025 accreditation
✓ Fire suppression systems
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Building the Investigation
Team
❑ Keep the team small to protect the confidentiality of the investigation and to guard against information leaks
❑ Identify team members and assign them responsibilities
❑ Ensure that every team member has the necessary clearance and authorization to conduct assigned tasks
❑ Assign one team member as the technical lead for the investigation

People Involved in an Investigation Team

Photographer Photographs the crime scene and the evidence gathered
Incident Responder Responsible for the measures to be taken when an incident occurs
Incident Analyzer Analyzes the incidents based on their occurrence

Evidence Examiner/Investigator Examines the evidence acquired and sorts the useful evidence

Evidence Documenter Documents all the evidence and the phases present in the investigation process

Evidence Manager Manages the evidence in such a way that it is admissible in the court of law

Evidence Witness Offers a formal opinion in the form of a testimony in the court of law
Attorney Provides legal advice

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Understanding the Hardware and Software Requirements
of a Forensic Lab
❑ A digital forensic lab should have all the necessary hardware and software tools to support the investigation process,
starting from searching and seizing the evidence to reporting the outcome of the analysis

Hardware Software
➢ Two or more forensic workstations with good ➢ OSes
processing power and RAM ➢ Data discovery tools
➢ Specialized cables ➢ Password-cracking tools
➢ Write-blockers and drive duplicators ➢ Acquisition tools
➢ Archive and Restore devices ➢ Data analyzers
➢ Media sterilization systems ➢ Data recovery tools
➢ Other equipment that allow forensic software ➢ File viewers (Image and graphics)
tools to work
➢ File type conversion tools
➢ Computer Forensic hardware toolkit, such as
Paraben's First Responder Bundle, DeepSpar ➢ Security and Utilities software
Disk Imager, FRED forensic workstation etc. ➢ Computer forensic software tools such as
Wireshark, Access Data’s FTK etc.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Module Flow

Forensic Investigation Forensic Investigation

Process - Pre-investigation 02 03 Process - Investigation
Phase Phase

Understand the Forensic Forensic Investigation

Investigation Process and 01 04 Process - Post-investigation
its Importance Phase

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Computer Forensics Investigation Methodology

1 2 3
Documenting the Search Evidence
Electronic Crime Scene and Seizure Preservation

6 5 4
Case Analysis Data Analysis Data Acquisition

7 8
Testifying as an
Reporting
Expert Witness

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Documenting the
Electronic Crime Scene
❑ Documentation of the electronic crime scene is
necessary to maintain a record of all the forensic
investigation processes performed to identify,
extract, analyze, and preserve the evidence

Points to remember when

documenting the crime scene

▪ Document the physical crime scene, noting the position of the

system and other equipment, if any

▪ Document details of any related or difficult-to-find electronic

components

▪ Record the state of computer systems, digital storage media,

and electronic devices, including their power status

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Search and Seizure
❑ Planning the search and seizure
✓ Seeking consent
✓ Obtaining witness signatures
✓ Obtaining warrant for search and
seizure
❑ Securing and evaluating
✓ Collecting incident information the crime scene

❑ Initial search of the ❑ Seizing evidence at crime scene

scene
✓ Dealing with powered-on computers
✓ Dealing with powered-off computers
✓ Dealing with networked computers
✓ Operating System shutdown procedure
✓ Dealing with mobiles and other handheld devices

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Planning the Search and Seizure

A search and seizure plan should contain the following details:

Description of the incident Creating a chain of custody document

Case name or title of the incident Details of equipment to be seized

Location of the incident Search and seizure type (overt/covert)

Applicable jurisdiction and relevant legislation Approval from local management

Determining the extent of authority to search Health and safety precautions

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Evidence Preservation
Evidence preservation refers to the proper handling and
1 documentation of evidence to ensure that it is free from
any contamination

Any physical and/or digital evidence seized should be

2 isolated, secured, transported and preserved to protect
its true state

At the time of evidence transfer, both the sender and the

3 receiver need to provide information about the date and
time of transfer in the chain of custody record

The procedures used to protect the evidence and document

4 it while collecting and shipping are as follows:
▪ The logbook of the project
▪ A tag to uniquely identify any evidence
▪ A chain of custody record

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Data Acquisition
Forensic data acquisition is a process of imaging or collecting
information from various media in accordance with certain
standards for analyzing its forensic value

Investigators can then forensically process and

examine the collected data to extract information
relevant to any particular case or incident while
protecting the integrity of the data

It is one of the most critical steps of digital forensics as

improper acquisition may alter data in evidence media,
and render it inadmissible in the court of law

Investigators should be able to verify the accuracy of acquired

data, and the complete process should be auditable and
acceptable to the court

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Data Analysis

❑ This phase includes the following:

▪ Analysis of the file’s content, date
❑ Data analysis techniques depend and time of file creation and
on the scope of the case or the modification, users associated with
file creation, access and file
client’s requirements
❑ Data analysis refers to the process modification, and physical storage
of examining, identifying, location of the file
separating, converting, and ▪ Timeline generation
modeling data to isolate useful ▪ Identification of the root cause of
information the incident

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Case
Analysis

Investigators can relate the evidential data to the case details for understanding how the complete
incident took place and determining the future actions such as the following:

Determine the possibility of exploring Gather additional information Consider the relevance of
other investigative procedures to gather related to the case (e.g., aliases, components that are out of the
additional evidence (e.g., checking host email accounts, ISP used, names, scope of investigation; for
data and examining network service logs network configuration, system example, equipment such as
for any information of evidentiary value, logs, and passwords) by laminators, check paper,
collecting case-specific evidence from interviewing the respective scanners, and printers in case of
social media, identifying remote storage individuals any fraud; or digital cameras in
locations etc.) case of child pornography

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Module Flow

Forensic Investigation Forensic Investigation

Process - Pre-investigation 02 03 Process - Investigation
Phase Phase

Understand the Forensic Forensic Investigation

Investigation Process and 01 04 Process - Post-investigation
its Importance Phase

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Gathering and Organizing Information

❑ Documentation in each phase should be identified to

Identification decide whether it is appropriate to the investigation
and should be organized in specific categories

Procedures

Following are the procedures for gathering and organizing the

required documentation:

▪ Gather all notes from different phases of the investigation process

▪ Identify the facts to be included in the report for supporting the
conclusions
▪ List all the evidence to submit with the report
▪ List the conclusions that need to be in the report
▪ Organize and classify the information gathered to create a concise
and accurate report

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Writing the Investigation Report

Report writing is a crucial stage in the outcome of the investigation

The report should be clear, concise, and written for the appropriate audience

Important aspects of a good report:

✓ It should accurately define the details of an incident

✓ It should convey all necessary information in a concise manner

✓ It should be technically sound and understandable to the target audience

✓ It should be structured in a logical manner so that information can be easily located

✓ It should be able to withstand legal inspection

✓ It should adhere to local laws to be admissible in court

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Forensics Investigation Report Template

A forensics investigation report template contains the following:

❑ Executive summary
✓ Case number
✓ Names and Social Security Numbers of authors, investigators, and examiners
✓ Purpose of investigation
✓ Significant findings
✓ Signature analysis
❑ Investigation objectives
❑ Details of the incident
✓ Date and time the incident allegedly occurred
✓ Date and time the incident was reported to the agency’s personnel
✓ Details of the person or persons reporting the incident
❑ Investigation process
✓ Date and time the investigation was assigned
✓ Allotted investigators
✓ Nature of the claim and information provided to the investigators

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Forensics Investigation Report Template (Cont’d)

❑ Evidence information ❑ Relevant findings

✓ Location of the evidence
❑ Supporting Files
✓ List of the collected evidence
✓ Attachments and appendices
✓ Tools involved in collecting the evidence
✓ Full path of the important files
✓ Preservation of the evidence
✓ Expert reviews and opinion

❑ Evaluation and analysis Process

❑ Other supporting details
✓ Initial evaluation of the evidence
✓ Attacker’s methodology
✓ Investigative techniques
✓ User’s applications and Internet
✓ Analysis of the computer evidence activity
(Tools involved)
✓ Recommendations

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

 Testifying as an Expert Witness
Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and
sometimes complex technology

Familiarize the expert witness with the usual procedures that are
followed during a trial
Things that
take place
The attorney introduces the expert witness
in the court
room
The opposing counsel may try to discredit the expert witness

The attorney leads the expert witness through the evidence

Later, it is followed by the opposing counsel’s cross-examination

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Module Summary

This module has discussed the forensic investigation

process and its importance

It has covered various activities involved in the

pre-investigation phase

It also discussed in detail on activities performed

in the investigation phase

Finally, this module ended with a detailed discussion

on the post-investigation phase activities

In the next module, we will discuss in detail on

understanding hard disks and file systems

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.