5 Steps for Conducting Computer Forensics Investigations
The field of computer forensics investigation is growing, especially as law enforcement and legal entities realize just how valuable information technology (IT) professionals are when it comes to investigative procedures. With the advent of cyber crime, tracking malicious online activity has become crucial for protecting private citizens, as well as preserving online operations in public safety, national security, government and law enforcement. Tracking digital activity allows investigators to connect cyber communications and digitally-stored information to physical evidence of criminal activity; computer forensics also allows investigators to uncover premeditated criminal intent and may aid in the prevention of future cyber crimes. For those working in the field, there are five critical steps in computer forensics, all of which contribute to a thorough and revealing investigation.
Policy and Procedure Development
Whether related to malicious cyber activity, criminal conspiracy or the intent to commit a crime, digital evidence can be delicate and highly sensitive. Cybersecurity professionals understand the value of this information and respect the fact that it can be easily compromised if not properly handled and protected. For this reason, it is critical to establish and follow strict guidelines and procedures for activities related to computer forensic investigations. Such procedures can include detailed instructions about when computer forensics investigators are authorized to recover potential digital evidence, how to properly prepare systems for evidence retrieval, where to store any retrieved evidence, and how to document these activities to help ensure the authenticity of the data.
Law enforcement agencies are becoming increasingly reliant on designated IT departments, which are staffed by seasoned cybersecurity experts who determine proper investigative protocols and develop rigorous training programs to ensure best practices are followed in a responsible manner. In addition to establishing strict procedures for forensic processes, cybersecurity divisions must also set forth rules of governance for all other digital activity within an organization. This is essential to protecting the data infrastructure of law enforcement agencies as well as other organizations.
An integral part of the investigative policies and procedures for law enforcement organizations that utilize computer forensic departments is the codification of a set of explicitly-stated actions regarding what constitutes evidence, where to look for said evidence and how to handle it once it has been retrieved. Prior to any digital investigation, proper steps must be taken to determine the details of the case at hand, as well as to understand all permissible investigative actions in relation to the case; this involves reading case briefs, understanding warrants and authorizations and obtaining any permissions needed prior to pursuing the case.
A key component of the investigative process involves the assessment of potential evidence in cyber crime. Central to the effective processing of evidence is a clear understanding of the details of the case at hand and thus, the classification of cyber crime in question. For instance, if an agency seeks to prove that an individual has committed crimes related to identity theft, computer forensics investigators use sophisticated methods to sift through hard drives, email accounts, social networking sites and other digital archives to retrieve and assess any information that can serve as viable evidence of the crime. This is, of course, true for other crimes, such as engaging in online criminal behavior like posting fake products on eBay or Craigslist intended to lure victims into sharing credit card information. Prior to conducting an investigation, the investigator must define the types of evidence sought (including specific platforms and data formats) and have a clear understanding of how to preserve pertinent data. The investigator must then determine the source and integrity of such data before entering it into evidence.
Perhaps the most critical facet of successful computer forensic investigation is a rigorous, detailed plan for acquiring evidence. Extensive documentation is needed prior to, during, and after the acquisition process; detailed information must be recorded and preserved, including all hardware and software specifications, any systems used in the investigation process, and the systems being investigated. This step is where policies related to preserving the integrity of potential evidence are most applicable. General guidelines for preserving evidence include: the physical removal of storage devices, using controlled boot discs to retrieve sensitive data and ensure functionality, and taking appropriate steps to copy and transfer evidence to the investigator’s system.
Acquiring evidence must be accomplished in a manner both deliberate and legal. Being able to document and authenticate the chain of evidence is crucial when pursuing a court case, and this is especially true for computer forensics given the complexity of most cybersecurity cases.
In order to effectively investigate potential evidence, procedures must be in place for retrieving, copying, and storing evidence within appropriate databases. Investigators typically examine data from designated archives, using a variety of methods and approaches to analyze information; these could include utilizing analysis software to search massive archives of data for specific keywords or file types, as well as procedures for retrieving files that have been recently deleted. Data tagged with times and dates is particularly useful to investigators, as are suspicious files or programs that have been encrypted or intentionally hidden.
Analyzing file names is also useful, as it can help determine when and where specific data was created, downloaded, or uploaded and can help investigators connect files on storage devices to online data transfers (such as cloud-based storage, email, or other Internet communications). This can also work in reverse order, as file names usually indicate the directory that houses them. Files located online or on other systems often point to the specific server and computer from which they were uploaded, providing investigators with clues as to where the system is located; matching online filenames to a directory on a suspect’s hard drive is one way of verifying digital evidence. At this stage, computer forensic investigators work in close collaboration with criminal investigators, lawyers, and other qualified personnel to ensure a thorough understanding of the nuances of the case, permissible investigative actions, and what types of information can serve as evidence.
Documenting and Reporting
In addition to fully documenting information related to hardware and software specs, computer forensic investigators must keep an accurate record of all activity related to the investigation, including all methods used for testing system functionality and retrieving, copying, and storing data, as well as all actions taken to acquire, examine and assess evidence. Not only does this demonstrate how the integrity of user data has been preserved, but it also ensures proper policies and procedures have been adhered to by all parties. As the purpose of the entire process is to acquire data that can be presented as evidence in a court of law, an investigator’s failure to accurately document his or her process could compromise the validity of that evidence and ultimately, the case itself.
For computer forensic investigators, all actions related to a particular case should be accounted for in a digital format and saved in properly designated archives. This helps ensure the authenticity of any findings by allowing these cybersecurity experts to show exactly when, where, and how evidence was recovered. It also allows experts to confirm the validity of evidence by matching the investigator’s digitally recorded documentation to dates and times when this data was accessed by potential suspects via external sources.
Now more than ever, cybersecurity experts in this critical role are helping government and law enforcement agencies, corporations and private entities improve their ability to investigate various types of online criminal activity and face a growing array of cyber threats head-on. IT professionals who lead computer forensic investigations are tasked with determining specific cybersecurity needs and effectively allocating resources to address cyber threats and pursue perpetrators of said same. A master’s degree in information security and assurance has numerous practical applications that can endow IT professionals with a strong grasp of computer forensics and practices for upholding the chain of custody while documenting digital evidence. Individuals with the talent and education to successfully manage computer forensic investigations may find themselves in a highly advantageous position within a dynamic career field.
As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their places of work and their communities.
At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Information Security & Assurance, have made our comprehensive curriculum available to more students than ever before.
Norwich University has been designated as a Center for Academic Excellence in Cyber Defense Education by the National Security Agency and Department of Homeland Security. Through your program, you can choose from five concentrations that are uniquely designed to provide an in-depth examination of policies, procedures, and overall structure of an information assurance program.