Conducting Digital Investigations
October 28, 2016
Categorised in: Computer Forensic & Cyber Applications
The goal of any investigation is to uncover and present the truth.
Digital investigations inevitably vary depending on technical factors such as
the type of computing or communications device, whether the investigation is in a criminal, civil, commercial, military, or other context, and case-based factors such as the specific claims to be investigated.
The most common steps for conducting a complete and competent digital investigation are:
Preparation, Survey / Identification, Preservation, Examination and Analysis, Presentation
APPLYING THE SCIENTIFIC METHOD IN DIGITAL INVESTIGATIONS
The scientific method provides such a simple, flexible methodology.
The scientific method begins with fact gathering and validation, and proceeds to hypothesis formation and experimentation/ testing, actively seeking evidence that disproves the hypothesis, and revising conclusions as new evidence emerges.
- Formation and evaluation of Hypotheses
- Reporting and Testimony
HANDLING A DIGITAL CRIME SCENE
Digital crime scenes can contain many pieces of evidence and it is necessary to apply forensic principles to survey, preserve, and document the entire scene
handling individual computers as a source of evidence, and discusses approaches to handling high-availability/high-capacity servers or evidence spread over a network
assist in the development of procedures and crime scene protocol that minimize the chance of injury and contamination of evidence.
PRESERVING THE DIGITAL CRIME SCENE
Controlling Entry Points to Digital Crime Scenes
Freezing the Networked Crime Scene
Considerations for “Wet” Forensics
Developing a Forensic Preservation Strategy
Preserving Data on Live Systems
Remote Preservation of Digital Evidence
Shutting Down Evidential Computers
Modus operandi (MO) is a Latin term that means “a method of operating.”
It refers to the behaviors that are engaged in by a criminal for the purpose of successfully completing an offense.
A criminal’s MO reflects how he/she committed his/her crimes.
It is separate from his/her motives, which have to do with why he/she commits crimes
Amount of planning before a crime, evidenced by behavior and materials (i.e., notes taken in the planning stage regarding location selection and potential victim information, found in e-mails or personal journals on a personal computer).
Materials used by the offender in the commission of the specific offense (i.e., system type, connection type, software involved, etc.).
Presurveillance of a crime scene or victim (i.e., monitoring a potential victim’s posting habits on a discussion list, learning about a potential victim’s lifestyle or occupation on his/her personal Website, contacting a potential victim directly using a friendly alias or a pretense).
Offense location selection (i.e., a threatening message sent to a Usenet newsgroup, a conversation had in an Internet Relay Chat room to groom a potential victim, a server hosting illicit materials for covert distribution, etc.).
Use of a weapon during a crime (i.e., a harmful virus sent to a victim’s PC as an e-mail attachment).
Offender precautionary acts (i.e., the use of aliases, stealing time on a private system for use as a base of operations, IP spoofing, etc.).
MOTIVE AND TECHNOLOGY
Motive refers to the emotional, psychological, or material need that impels, and is satisfied by, a behaviour
Criminal motive is generally technology independent
Following types of behaviours:
Power Reassurance, Power Assertive, Anger Retaliatory, Sadistic, Opportunistic, and Profit Oriented.