Hello guys. I’m new here. I’m working in administrative department and due to one major incident involving data theft and unauthorized disclosure of sensitive information, my company want to setup digital forensic investigation team. I have zero knowledge on digital forensic investigation process so what I need to do first and is there any best practice regarding digital forensic investigation process that I can follow. Hope you guys can help me. Thank you!
Hi Anuar,
As I might add on, you also need to take into consideration of investigation or the examination process itself. There are 5 stage of examination that normally being use
1) Readiness- For the forensic examiner themselves, readiness will include appropriate training, regular testing and verification of their software and equipment, familiarity with legislation, dealing with unexpected issues and ensuring that the on-site acquisition (data extraction) kit is complete and in working order.
2) Evaluation- The evaluation stage includes the receiving of instructions, the clarification of those instructions if unclear or ambiguous, risk analysis and the allocation of roles and resources. Risk analysis for law enforcement may include an assessment on the likelihood of physical threat on entering a suspect’s property and how best to counter it.
3) Collection- If acquisition is to be carried out on-site rather than in a computer forensic laboratory, then this stage would include identifying and securing devices which may store evidence and documenting the scene. Interviews or meetings with personnel who may hold information relevant to the examination. The collection stage also involves the labelling and bagging of evidential items from the site, to be sealed in numbered tamper-evident bags.
4) Analysis- Analysis depends on the specifics of each job. There are myriad tools available for computer forensics analysis. In my opinion, the investigation team should use any tool they feel comfortable with as long as they can justify their choice.
5) Presentation - Investigator producing a structured report on their findings, addressing the points in the initial instructions along with any subsequent instructions. It would also cover any other information which the examiner deems relevant to the investigation.
Hello
As I agreed with all the answers given by my fellow colleague here, another important aspect that you should look into when setting up investigation team is to aware and understand the issue facing computer forensic which in term of technical, legal and administrative. By understanding the issue you might have better insight on how to setup your team later.
1) Technical issues
Encryption – Encrypted data can be impossible to view without the correct key or password. Examiners should consider that the key may be stored elsewhere on the computer or on another computer which the suspect has had access to.
New technologies – Computing is a continually evolving field, with new hardware, software and operating systems emerging constantly. No single computer forensic examiner can be an expert on all areas,
Anti-forensics – Anti-forensics is the practice of attempting to thwart computer forensic analysis. This may include encryption, the over-writing of data to make it unrecoverable, the modification of files’ metadata and file obfuscation (disguising file). And there are more and more free anti-forensic software available on the net now.
2) Legal issues
Legal issues may confuse or distract from a computer examiner’s findings. competent opposing lawyer, supplied with evidence from a competent computer forensic analyst, should be able to dismiss an argument. A good examiner will have identified and addressed possible arguments from the “opposition” while carrying out the analysis and in writing their report.
3) Administrative issues
Standards – There are a plethora of standards and guidelines in computer forensics, few of which appear to be universally accepted. So you need to aware which standard your company wants to follow
Fit to practice – In many jurisdictions there is no qualifying body to check the competence and integrity of computer forensics professionals. In such cases anyone may present themselves as a computer forensic expert, which may result in computer forensic examinations of questionable quality
Good luck!