Its important for every cyber forensic process to know what are our operational investigation requirements. When conducting an investigation, it’s important that specific guidelines and procedures are followed. We need good communication channel to communicate and respond to concerned and involved teams, in accordance with applicable laws and standards. We have to think about the investigation’s mandate; what’s the overall purpose, because we need to make sure that our forensic activities stay within the scope of that investigation. Sometimes, we need to engage the expertise of other specialists for forensic and interviewing, and security. On the legal side, sometimes it can be a little bit difficult. For example, with cloud data, we might have one user accessing that data in one country, but the data might be stored on cloud provider servers that are in another country, physically. So how do we deal with that; because, where a warrant might be easily obtained in one country, it might not be so easy in others. Even if we can get a warrant in another country, we need to make sure that that warrant is executed, and that can be hard to enforce overseas, sometimes. The lead investigator is responsible for assembling the team of professionals that are required for a specific investigation. Whether that investigation relates to a financial crime, computer forensics, some combination thereof, and so on.
Operational Investigation Requirements.
“The procedures which are required in an investigation govern the communication, response, and mandate of that investigation or team of investigators.”
“Different investigations have different requirements. An investigation might require expertise from forensic specialists, interviewers, and security. It might also require legal authorization like grounds to execute a search warrant, determining when a search can be executed, as well as what is being searched for.”
Heading Operational Investigation
The lead investigator is responsible for assembling the team of professionals that are required for a specific investigation. In the case of a financial crime or computer forensics, the investigation team needs to obtain warrants execute production orders, assemble security personnel, coordinate execution of search, and follow up after the search.
So members of the team should have the expertise and experience, in order to do things like obtain warrants, to assemble security personnel, to coordinate the execution of a search, and to follow up on that search. Remember that the overall goal of an investigation is to acquire information that can be used as evidence. But along the way, there are rules that must be followed in terms of how we do that. So when we gather evidence – from the seizure all the way to the preservation of it, even the archival of that data over time – we need to prove that it was kept under our control. Everything is documented, and date and time stamped. That refers to the chain of custody. Sometimes we also need to locate evidence that proves a crime was committed in the first place. Sometimes we also need to document the technical side of an environment, including things like IP addresses, determining whether a wireless network is secure or insecure. Sometimes we have to document things like usernames, and passwords, and so on. But we need to make sure that we consult with counsel, before we go through and use things like discovered usernames and passwords. We want to make sure that we aren’t breaking the law.
“Acquiring evidence is the main purpose of an investigation. Acquiring evidence is subject to rules pertaining to the seizure, preservation, and chain of custody of that evidence. It is important to locate evidence which proves that a crime was committed, and to document the technical environment in which it was found, like IP addresses, secure or insecure wireless, and usernames and other credentials.”
Sometimes, things like IP addresses are important to document – not just in the sense of a local IP address of a device, but also a remote IP address – because maybe machines were communicating for some kind of coordinated act that was being committed. An investigation will always take a two phased approach, whereby it begins with the collection of data. That can come from various locations, like data logs, or we might perform a live analysis of a running system. We might also take a memory dump of memory contents on a running system. Sometimes, we might take a network traffic capture to examine that traffic. But bear in mind that anybody can completely forge network transmissions, and place them on the network. So we would have to correlate network traffic captures with some other corroborating evidence, to make it trustworthy. We can recover deleted entries on storage media. This can be done by looking through deleted files, or file fragments, that remain on disk. And in some cases, we’ll be able to see Internet artifacts that are a result of a user using certain Internet services – maybe viewing certain web pages, and so on.
The two phases of an investigation are collection and recovery.
The collection phase is concerned with collecting information like data logs, live analysis, memory dump, and network traffic capture. The recovery phase is concerned with collecting data from space unsigned space like deleted files, file slack, and Internet artifacts.