Implementing Sound Digital Forensic Methodology Resubmission
docx
keyboard_arrow_up
School
SUNY Buffalo State College *
*We aren’t endorsed by this school
Course
COMPUTER F
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
9
Uploaded by DeanField4049
DIGITAL FORENSIC SCIENCE (DFS-501-85A)
WEEK 1: IMPLEMENTING A SOUND DIGITAL FORENSIC METHODOLOGY
CLIFFORD KWAME ATTAGLO
AKETTE COWART
NOVEMBER 1, 2023
Background
For this week, we are to prepare for a meeting with the OOO Chief Security Officer by creating a
detailed outline using each of the ADFPM phases as a major heading and to discuss each phase
thoroughly. Further, we are to discuss how each phase relates to the suspected incident as
described in the scenario provided as well as the importance of these phases. Examples of each
task I plan to accomplish at each phase. Digital forensic model abbreviated as ADFM is a tool for
digital forensic. Is a model that provides a clear and structured way to proceed with digital
evidence. Is made up of 9 phases which includes the identification, preservation, collection,
examination, analysis, reconstruction, documentation, presentation and returning evidence. I
shall be proceeding with the meeting with these phases by connecting node of evidence together
as in the scenario.
Using ADFPM to create a detailed Outline for the NIST Data leakage Scenario.
A meeting with the Chief Security Officer of OOO about leakage of data in the company is
something that would be a job for the Digital Forensic Investigator to prepare in advance by
creating a detailed outline about the whole issue for the comprehension of the Police. There is a
need for a structured model to help explain the crime to its finite minute phase by phase to Police
investigators. The ADFPM is the best to deal with this scenario as is a structured model that
moves systematically through the stages.
Identification
Evidence: USD Thumb Drive, CD-R, Phone, Computer, Emails, Hard Drives.
Summary
This stage is the place where identification of evidence takes the center stage. Every case
starts with the identification of suspicious items with someone. In our scenario, Mr.
Informant was found with a USB thumb drive and CD-R which is against the OOO policy
and hence those items need to be seized. This raises an alarm for investigations and a need to
look out for other sources such as personal computers, email, cloud storage, phones, etc.
Preparation
Tools: Workstation, FTK Imager, SafeBlock, F-Response, Magnet Acquire.
Validation of Tools: All the necessary tools and software needed for the case need to be
tested in advance before the actual use of the tools can be used for the job. This tests the
validity and efficacy of the tool to see if it can execute the job without making any
modifications to the evidence being acquired.
Summary
This phase must deal with the preparation of the right tools and techniques for the collection
of evidence and is deemed as one of the important parts of the ADFPM. This is because if the
wrong tools and techniques are used, the results of the investigation in general would be
screwed and potential evidence for prosecution shall not be archived. This is phase where
tools are validated to be used to unearth any evidence found in the seized devices and others
sent through email as well as stored in the cloud. This is done to ensure that the tools selected
can be used to execute the job.
Approach Strategy
Interview: Mr. Informant needs to be interviewed to find out the motive behind stealing
intellectual property of OOO. This would save investigators time and energy as
investigators would know where to gear their energy in collection of evidence. This
would give investigators the opportunity to know the people involved in this grand
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
conspiracy to steal. Lastly, it gives OOO the opportunity to know the loopholes in the
organization and find ways to address them either through administrative or technical
measures.
Collection: How is evidence going to be collected. What are the needed materials and
tools needed to collect evidence and even their storage. Where to look for sources of
evidence cloud, social media accounts, phones, personal computers. All these strategies
can be hatched at this phase of ADFPM.
Summary
This phase involves strategizing the investigations to put it on the right path to avoid
collecting unnecessary and tampering with evidence. This is the phase that needs a lot of
planning in that it makes investigations less cumbersome and straight to the point. In fact,
it put the investigation in a sequential step.
Preservation
Package: This is very important as not just anything can be used to package electronic
devices. There is a need to use antistatic bags, evidence bags etc. would be used to
preserve the USB thumb drive and the CD-R seized from Mr. Informant as well as
forensic. The original source evidence identified during the identification phase would be
kept in a safe box.
Chain of Custody: Chain of Custody refers to the logical sequence that records the
sequence of custody, control, transfer, analysis, and disposition of physical or electronic
evidence in legal cases. Each step in the chain is essential as if broke, the evidence may
be rendered inadmissible. The importance of this cannot be emphasized as it preserves
the integrity of the evidence.
Summary
Preservation has to do with the integrity and security of evidence. Preservation is
important when it comes to digital forensics. The first rule for all investigations is to
preserve the evidence, which means it shouldn’t be tampered with or contaminated.
Preserving the integrity of evidence would be good for prosecution. In this scenario, the
evidence seized from Mr. Informant was carefully packaged and transported to the
forensic lab for further analysis. In same way, making forensic copies of the USB thumb
and CD-R and storing the original evidence in a storage room would prevent it from
being contaminated. Warrants would be secured to confiscate any other sources of
evidence that would be deemed essential to the investigation. I would ensure that
evidence is labelled, and evidence forms are filled out. These ensure the integrity of the
evidence.
Collection
Tools: Autopsy, FTK Imager, F-Response, SafeBlock, Magnet Acquire etc.
Evidence: USB thumb drive, CD-R, E-mails, Cloud Storage, Hard drives
Summary
This part of the ADFPM involves the recording of physical scenes and duplication of
evidence using standard and acceptable procedures. It is a phase where potential
electronic devices could be extracted by using our validated tools. At this point, making
forensic copies of evidence is crucial. By making copies of the evidence, this would
prevent source evidence from being tempered and preserving the integrity of the evidence
and investigations as well. This is the phase evidence needed for the investigation would
have been collected. This includes images drives, recording scene, copying all other
evidence from computer hard drives, phones, servers, internet, and all potential evidence
necessary for the investigation. From the scenario, evidence to be collected includes the
USB thumb drive, CD-R, phone, laptop, emails, internal and external storages, clouds
storage and other sources deemed fit for the purpose of the investigation. Lastly, all
evidence collected would be photographed and documented.
Examination
This is the part that has to do with relevant examination of information and finding more related
hints from the information gathered. This is where devices and information examination are done
for heads way to be made and gives more leads into the case. It helps in what to look out for and
this includes the raw data yet to be analyzed. In our case or scenario, the evidence to look for on
the suspect was examined. This helps in determining what they potentially carry and the motive
behind it. The seized items on Mr. Informant also give a hint on where to potentially look for
evidence.
Analysis
Tools: Autopsy, FTK Imager, F-Response, SafeBlock, Magnet Acquire etc.
Summary
This is the part where all potential tools and evidence are analyzed to determine if
commission of crime has really occurred and there is enough evidence for the crime.
This stage is one of the most important phases in digital forensics since this is where the
decision is made either to continue or discontinue the investigation or case. Much care is
needed at this stage as this is where evidence gathered is linked to the suspect and is
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
necessary to avoid mistakes. Recovering stolen data, identifying evidence, deleted and
damaged data are done at this stage.
Presentation
Tools: Microsoft Power Point
I as the investigator would present my findings to OOO. This would be done in a non-
technical and technical way. This would give the opportunity to those who are not
forensic savvy to understand my presentation. This presentation would also entail graphs,
and other visual aids. This Power Point presentation would be complemented by a
detailed report of my findings.
Summary
This phase is where investigators present his or her findings to the requesting
organization or the initiators of the investigation. Presentation is documented in a
Microsoft Power Points in a non-technical and technical way to the requestor. This can be
done with the aid of graphs, and other visual aids. This presentation is supported by a
detailed report. This phase also helps non-technical or technical people with how the
investigations went, the technique, tools, theories, and other techniques to arrive at a
conclusion. At this point, all necessary evidence and motive would have been unearthed,
and decisions made.
Returning Evidence
This phase is the last stage of the ADFPM where evidence used for the investigations is returned
to the requester of the investigations. This would be evidence such as USB thumbs, CD-R and all
other evidence collected during the various stages of investigations as there would be no need to
continue keeping of the evidence. This stage is necessary because it does prevent any issues of
legal litigation.
References
Geeks (2020, June 2).
Chain of Custody
. GeeksforGeeks. https://www.geeksforgeeks.org/chain-of-
custody-digital-forensics/
Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations (6th ed.).
Cengage. www.cengage.com
Hagy, D. W. (2001). Electronic Crime Scene Investigation: A Guide for First Responders (2nd ed.). U.S
Department of Justice. www.ojp.usdoj.gov/nij
Abdalla, S., Hazem, S., & Hashem, S. (2007). Guideline Model for Digital Forensic Investigation. Embry-
Riddle. https://www.commons.erau.edu/
Jawad Abbas, T. M. (2015). Studying the Documentation Process in Digital Forensic Investigation
Frameworks/ Models. ResearchGate.
https://www.researchgate.net/publication/313850384_Studying_the_Documentation_Process_in_Digita
l_Forensic_Investigation_Frameworks_Models
(n.d.). Most Important in Digital Forensics: Preparation or Preservation? Secure The Infosec Bag.
https://www.keirstenbrager.tech/most-important-in-digital-forensics-preparation-or-preservation/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help