Systematci approach Flashcards
(13 cards)
What are the steps of a digital investigation in the correct order?
Make an initial assessment about the type of case
Determine a preliminary design or approach
Create a detailed checklist
Determine the resources you need
Obtain and copy an evidence drive
Identify the risks
Mitigate or minimize the risks
Test the design
Analyze and recover the digital evidence
Investigate the data you recover
Complete the case report
Critique the case
What is Step 1 of a digital investigation, and how do you perform it?
Step 1: Make an Initial Assessment About the Type of Case
To perform this step:
Talk to people involved – Interview stakeholders, law enforcement, or company personnel to understand the incident.
Ask key questions – Find out:
Has the computer and its components already been seized?
Do you need to visit an office or external location?
Was the computer used to commit a crime?
Does the computer contain evidence related to a crime?
Clarify the nature of the case – Determine whether it’s criminal, civil, internal company-related, or another type.
Establish scope – Understand what devices, users, and data might be involved.
What is Step 2 of a digital investigation, and how do you perform it?
Determine a preliminary design or approach to the case
Outline the general steps for investigation.
Consider timing: can the suspect’s computer be seized during or after work hours?
If it’s a criminal case, check what info law enforcement already has.
What is Step 3 of a digital investigation, and how do you perform it?
Create a detailed checklist
Refine the general outline and estimate the amount of time needed
What is Step 4 of a digital investigation, and how do you perform it?
Back:
Step 4: Determine the Resources You Need
Identify the OS and environment of the target system.
list the tools needed and if an experts assisttance is needed
What is Step 5 of a digital investigation, and how do you perform it?
Step 5: Obtain and Copy an Evidence Drive
Seize the digital devices involved (USBs, laptops, mobile phones, etc.).
make copy
What is Step 6 of a digital investigation, and how do you perform it?
Step 6: Identify the Risks
List potential problems (e.g., data destruction mechanisms, encryption, booby-trapped logins).
What is Step 7 of a digital investigation, and how do you perform it?
Step 7: Mitigate or Minimize the Risks
Make multiple copies of forensic images to protect the original data. Plan for bypassing passwords or encryption without data loss. Ensure safe storage of all evidence and backups. Use verified procedures to prevent contamination or damage.
What is Step 8 of a digital investigation, and how do you perform it?
Step 8: Test the Design
Review your plan and verify each step so far. Compare hash values of original vs. copied media to ensure integrity.
What is Step 9 of a digital investigation, and how do you perform it?
Step 9: Analyze and Recover the Digital Evidence
Use forensic tools to examine the disk image.
What is Step 10 of a digital investigation, and how do you perform it?
Back:
Step 10: Investigate the Data You Recover
View the information recovered from the disk, including existing files, deleted files, e-mail, and Web history, and organize the files to help find information relevant to the case.
What is Step 11 of a digital investigation, and how do you perform it?
Step 11: Complete the Case Report
Write a detailed report of everything you did and discovered.
What is Step 12 of a digital investigation, and how do you perform it?
Step 12: Critique the Case
Reflect on the investigation process. Identify what went well and what could be improved. Seek feedback from peers or supervisors. Document lessons learned for future cases.
