Scribd
Upload
312 views

Computer Forensics Investigation - A Case Study PDF

This document outlines the process and principles for conducting a computer forensics investigation according to ACPO guidelines. It discusses the four principles of computer forensics which include not altering data, maintaining competence, documenting processes, and overall responsibility. It also describes the Four Step Forensics Process model used for this investigation, which includes preparation, collection, examination, and analysis of evidence. The scope is to identify security issues and determine appropriate legal and remedial actions.

Uploaded by

Tefe
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
312 views

Computer Forensics Investigation - A Case Study PDF

This document outlines the process and principles for conducting a computer forensics investigation according to ACPO guidelines. It discusses the four principles of computer forensics which include not altering data, maintaining competence, documenting processes, and overall responsibility. It also describes the Four Step Forensics Process model used for this investigation, which includes preparation, collection, examination, and analysis of evidence. The scope is to identify security issues and determine appropriate legal and remedial actions.

Uploaded by

Tefe
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

5/17/2020 Computer Forensics Investigation – A Case Study

This forensic investigation will be conducted as per Association of Chief Police Officers (ACPO) guidelines and its
four principles as well. There are four ACPO principles involved in computer-based electronic evidence. These
principles must be followed when a person conducts the Computer Forensic Investigation. The summary of those
principles are as follows (ACPO, 2013);

Principle 1: Data stored in a computer or storage media must not be altered or changed, as those data may be later
presented in the court.

Principle 2: A person must be competent enough in handling the original data held on a computer or storage media
if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their
actions.

Principle 3: An audit trail or other documentation of all processes applied to computer-based electronic evidence
should be created and preserved. An independent third party should be able to examine those processes and
achieve the same result.

Principle 4: A person who is responsible for the investigation must have overall responsibility for accounting that the
law and the ACPO principles are adhered to.

4. Computer Investigation Model


According to Kruse II, W.G., and Heiser, J.G. (2010), a computer investigation is to identify the evidences, preserve
those evidences, extract them, document each and every process, and validate those evidences and to analyse
them to find the root cause and by which to provide the recommendations or solutions.

“Computer Forensics is a new field and there is less standardization and consistency across the courts and industry”
(US-CERT, 2012). Each computer forensic model is focused on a particular area such as law enforcement or
electronic evidence discovery. There is no single digital forensic investigation model that has been universally
accepted. However, it was generally accepted that the digital forensic model framework must be flexible, so that it
can support any type of incidents and new technologies (Adam, R., 2012).

Kent, K., et.al, (2006) developed a basic digital forensic investigation model called the Four Step Forensics Process
(FSFP) with the idea of Venter (2006) that digital forensics investigation can be conducted by even non-technical
persons. This model gives more flexibility than any other model so that an organization can adopt the most suitable
model based on the situations that occurred. These are the reasons we chose this model for this investigation. FSFP
contains the following four basic processes, as shown in the figure:

Figure 1: FSFP Forensic Investigation Model

Source: Kent, K., et.al, (2006)

The “Preserve and Document Evidence” arrow mark indicates that we must preserve and document the all
evidences during the course of investigation, as this can be submitted to the court as evidences in some cases. We
will discuss each and every process or stage of the FSFP investigation model in following sections.
https://resources.infosecinstitute.com/computer-forensics-investigation-case-study/#gref 1/3
5/17/2020 Computer Forensics Investigation – A Case Study

5. Scope of Investigation
The scopes of the forensic investigations for this case are as follows:

To identify the malicious activities with respect to 5Ws (Why, When, Where, What, Who).
To identify the security lapse in their network.
To find out the impact if the network system was compromised.
To identify the legal procedures, if needed.
To provide the remedial action in order to harden the system.

6. Legal Challenges of Investigation


According to Nelson, B., et al., (2008), legal challenges before we start our forensic investigation are as follows:

Determining whether law enforcement assistance is needed, and if so then they may be available for
assistance during the investigation, or else we have to submit the investigation report to them at the end of the
investigation.
Obtaining written permission to conduct the forensic investigation, unless another incident response
authorization procedure is present.
Discussing with the legal advisors to identify the potential issues which can be raised during the improper
handling of the investigations.
Ensuring the clients’ confidential and privacy issues are accounted.

7. Initial Preparation
It is obvious that before starting the investigation, we need to have a preparation in order to conduct the investigation
efficiently. This is considered a proactive measure of investigation (Murray, 2012). The following steps need to be
taken in the preparation stage:

Gathering all available information from the assessing the incident, such as severity of the incident.
Identifying the impact of the investigation on the SME business, such as network down time, duration of
recovery from the incident, loss of revenue, and loss of confidential information.
Obtaining information of the networks, network devices such as router, switches, hub, etc., network topology
documentation, computers, servers, firewall and network diagram.
Identifying the external storage devices such as pen drive, flash drive, external hard disk, CD, DVD, memory
cards and remote computer.
Identifying the forensic tools which can be used in this investigation.
Capturing live network traffic in case the suspicious activities are still running with ‘netmon’ tools.
Documenting all the activities during the investigation which may be used in court to verify the course of action
that was followed in the investigation.
Imaging the target devices’ hard drive and hashing them with MD5 for data integrity.

Learn Computer Forensics

This learning path is designed to build a foundation of knowledge and skills around computer
forensics.
You'll learn topics such as:

https://resources.infosecinstitute.com/computer-forensics-investigation-case-study/#gref 2/3
5/17/2020 Computer Forensics Investigation – A Case Study

⇒ Email and browser forensics


⇒ Network forensics concepts
⇒ And more

Get started

8. Collection
“The collection phase is the first phase of this process is to identify, label, record, and acquire data from the possible
sources of relevant data, while following guidelines and procedures that preserve the integrity of the data” (CJCSM
6510.01B, 2012). There are two different types of data that can be collected in a computer forensics investigation.
They are volatile data and non-volatile data (persistent data). Volatile data is data that exists when the system is on
and erased when powered off, e.g. Random Access Memory (RAM), registry and caches. Non-volatile data is data
that exists on a system when the power is on or off, e.g. documents in HD. Since volatile data is short-lived, a
computer forensic investigator must know the best way to capture it. Evidence can be collected locally or remotely.

https://resources.infosecinstitute.com/computer-forensics-investigation-case-study/#gref 3/3

You might also like