Implementing a Sound Digital Forensic Methodology

docx

School

SUNY Buffalo State College *

*We aren’t endorsed by this school

Course

COMPUTER F

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

6

Uploaded by DeanField4049

Report
DIGITAL FORENSIC SCIENCE (DFS-501-85A) WEEK 1: IMPLEMENTING A SOUND DIGITAL FORENSIC METHODOLOGY CLIFFORD KWAME ATTAGLO AKETTE COWART NOVEMBER 1, 2023
DFS 501-85A: IMPLEMENTING A SOUND DIGITAL FORENSIC METHODOLOGY Background For this week, we are to prepare for a meeting with the OOO Chief Security Officer by creating a detailed outline using each of the ADFPM phases as a major heading and to discuss each phase thoroughly. Further, we are to discuss how each phase relates to the suspected incident as described in the scenario provided as well as the importance of these phases. Examples of each task I plan to accomplish at each phase. Digital forensic model abbreviated as ADFM is a tool for digital forensic. Is a model that provides a clear and structured way to proceed with digital evidence. Is made up of 9 phases which includes the identification, preservation, collection, examination, analysis, reconstruction, documentation, presentation and returning evidence. I shall be proceeding with the meeting with these phases by connecting node of evidence together as in the scenario. Identification This first step is to identify devices and resources that might contain data that would be part of an investigation. Every case starts with identifying contraband goods with the accused person. You need to identify which pieces of data are relevant to the investigation. Possession is essential in making a case against an accused person. From the scenario, the security team of OOO found the suspect in possession of a USB thumb drive and CD-R which are seen as contraband, therefore raising a suspicion of stealing trade secrets. The identification could go further to include all systems the accused has access to as well as company and personal emails. Preparation Preparation stage is deemed as one of the most important parts of the ADFM process model. At this stage, examiners select and test the right tools for the job. Would the tools and software
available be able to make a bit-for-bit copy of the seized items including the USB thumb drive, CD-R, HDD, SSD, emails. When the examiner’s forensic platform is ready comes duplicate forensic data and verify it integrity. Possibly duplicate copies are made. The integrity of the copy data is verified by a hash value of the original data. In this scenario, after security officer found the contraband goods with the accused and briefly inspected it but they could not detect any possibility leakage. Since the USB thumb drive and CD-R are storage devices and could not know the content of it, possible of containing OOO trade secrets, it would therefore be necessary to seize it for forensic examination. The evidence seized is hence packaged and labelled in the presence of the accused. A chain of custody form is filled out and evidence sent for safe keeping. This gives room for examiners to make a copy of the seized devices for further analysis. Approach strategy The goal of this phase is to maximize the collection of untainted evidence while reducing the impact of the victim. Time is of essence in all investigations but cases like robbery, murder as well as kidnaps and hostage rescue, acquiring clues from digital devices immediately is very important and must have a strategy in place to progress through the case. Time needs to be apportioned appropriately such as interviewing and cautioning the suspect. In this case scenario, the evidence retrieved from the accused person are all electronic devices and must be sent to the forensic laboratory immediately for thorough analysis. This analysis will help to build a case against the suspect. Another strategy is the use of interviewing. The purpose of this is to gather all necessary information from the victim as well as the perpetrator regarding details associated with an investigation. The first responders in this case are the security officers suspect into custody and allow the investigation department of OOO to interview the suspect. This gives them more option to know the motive of the suspect. Lastly, this stage give you a chance to meet with
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
the Chief Security Officer of OOO to discuss the search lead list would be, what to look for and the rest. Preservation Preservation is important when it comes to digital forensics. The first rule for all investigations is to preserve the evidence, which means it shouldn’t be tampered with or contaminated. The seized items from the suspect are electronic items and care must be handled well. Digital evidence or media are very fragile and sensitive to temperature, humidity, etc. In this case, the evidence needs to be bagged with evidence or antistatic bags, labelled, and ceased in the presence of the suspect. At this point, it shall also be necessary to fill in the chain of custody form and list the people who have been in contact with the evidence. One point to note is that when the evidence is ceased and labelled, any person who encounters the evidence’s name has to be listed on the chain of custody form. This form helps in preserving the integrity of the evidence. Collection At this stage is necessary to make duplicate copies of the USB drive and the CD-R seized by the officers from the suspect. In this case the original copy of the evidence, which in this case is the USB and CD-R, are secured in the secure cabinet at the forensic lab and not tempered with. The duplicate copies also give opportunity in case something goes wrong with the working image. Examination This is the stage where thorough investigations are done. A copy image of both the USB thumb drive and CD-R and search thoroughly for any evidence or materials belonging to OOO. Everything done and found at this stage is documented. According to (Jawad Abbas, 2015) t he goal of the documentation process is to permanently (or semi-permanently as applicable) record all
information relevant to and/or generated during the digital investigative process to support decision maker, and the legal, administrative, etc. in processing of the decision. Analysis The collected data from the USB drive and the CD-R is analyzed carefully to know the significance of the data to the organization. This data collected is used to prove or disprove the innocence of the suspect. Therefore, the decision to continue or discontinue the case depends mostly on the analysis of the data collected from the contraband USB drive and the CD-R. Basically, this phase informs the decision-making process of the requester or the prosecution. Presentation Presentation phase is where a report consisting of detailed summary of the various steps taken during the investigation and the conclusion arrived at is presented to the appropriate authorities in this case either the Chief Security Officer or to the management of OOO. This is normally done to prove the innocence or guilt of the suspect to the requester. Returning Evidence This is done after the presentation stage has been completed. All evidence in possession of the investigator is returned to the request and subsequently to the suspect in the case if no evidence is found against him. Ways of removing or destroying the information found on the USB drive and the CD-R are all discussed. If the suspect is found culpable, the evidence is retained or handed to the prosecution or the police for safe keeping till prosecution begins. This must be recorded in the chain of custody form.
References Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations (6th ed.). Cengage. www.cengage.com Hagy, D. W. (2001). Electronic Crime Scene Investigation: A Guide for First Responders (2nd ed.). U.S Department of Justice. www.ojp.usdoj.gov/nij Abdalla, S., Hazem, S., & Hashem, S. (2007). Guideline Model for Digital Forensic Investigation. Embry- Riddle . https://www.commons.erau.edu/ Jawad Abbas, T. M. (2015). Studying the Documentation Process in Digital Forensic Investigation Frameworks/ Models. ResearchGate . https://www.researchgate.net/publication/313850384_Studying_the_Documentation_Process_in_Digita l_Forensic_Investigation_Frameworks_Models (n.d.). Most Important in Digital Forensics: Preparation or Preservation? Secure The Infosec Bag. https://www.keirstenbrager.tech/most-important-in-digital-forensics-preparation-or-preservation/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Jordan Jones - ITS3210 - Current Events 5 - 20231124.docx
Jordan Jones - ITS3210 - Case Study 4 - 20231119.docx
Jordan Jones - ITS3210 - Current Events 3 - 20231107.docx
Assignment2.docx
Module 5-2_Mea.docx
Implementing Sound Digital Forensic Methodology Resubmission.docx
Module 4 Assignment.docx
Module 4 Practice Quiz.docx
WK 2 Tools Validation.docx
Acorn SD HS SD7-C - Hazard Report Form V1.0 (ID 190932).docx
Netsec research.docx
Ranking Serviers.docx