Before proceeding with the investigation, forensic investigation team must be well prepared and equipped with necessary prerequisite facilities. Below indicated steps define the steps that the forensic team should adapt to, although the steps are not limited to this.
I. Policy and Procedure development.
Developing proper procedures and policies will give a clear guidance of functional and operational behavior of the forensic unit, and the mission statement that will keep the unit focus on their existence.
· Software licensing – Purchase required softwares and licenses for the forensics unit
· Training – Forensic team requires specialized training for the investigation.
· Resource allocation – Funds and resource allocation
II. Evidence assessment
Forensic investigator must determine the actions to be taken after considering the evidence assessment against the scope of the case.
· Case assessment – Determine whether you need to sought additional evidences such as finger print, DNA analysis, etc.
· Processing location assessment – Identifying the place of the investigation ( In lab environment or onsite)
· Legal considerations - What is the extend of authority to search.
Digital evidence has the tendency of getting destroyed, damaged or altered due to its sensitivity, thus protecting and handling them during the entire process is very critical.
· Imaging – Extract the evidence data by fixing the storage device to a forensically cleaned system.
· Write protection – Perform MD5 (Message Digest 5) or CRC (Cyclic Redundancy Check) before and after examination of evidence to determine if the evidence is being tampered during the examination process.
This process will defer according to the case that the investigator is working on, method, tools to be used and methodology of the investigation. Examination should not perform on original evidence.
· Preparation – Create a unique folder on a separate system to extract evidence data
· Extraction
i. Physical – Extract /recover data of the full physical drive
ii. Logical – Extract and recover data based on operating system, file stucture.ect
iii. Analysis of data – This is the method of matching the relevance of the evidence data to the case that is being examined.
All the incidences have to be documented with the timelines of the occurrence from the beginning to the closure of the case and each and every supporting document should be filed accordingly. Final report has to be produced to the case if needed or only to the relevant authority.
No comments:
Post a Comment