Digital Forensics Report: Practices, Impact, and Motivation Analysis
VerifiedAdded on 2021/04/21
|22
|6638
|49
Report
AI Summary
This report provides a comprehensive overview of digital forensics, encompassing current practices, potential impacts, and underlying motivations. It delves into static and live forensics, exploring their methodologies and applications. The report analyzes the impact of forensic investigations on businesses, considering cost, reputation, and legal implications. It also examines the motivations behind cybercrimes, including financial gain, personal interests, and political factors. The report further discusses data manipulation techniques like steganography, encryption, and obfuscation, as well as the role of malware in cyberattacks. The document also touches upon defensive and offensive forensics, the legal and illegal aspects of digital evidence, and the various methods used to manipulate data. The report emphasizes the importance of understanding these aspects to mitigate risks and protect against digital threats.
Digital Forensics
Ba-Pef Digitals
3/26/2018
Ba-Pef Digitals
3/26/2018
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Digital Forensics
Table of Contents
Task 1: P1.1...........................................................................................................................................2
Task 2 P1.2............................................................................................................................................3
Task 3 P1.3............................................................................................................................................5
Task 4 P2.1............................................................................................................................................6
Task 5 P2.2............................................................................................................................................7
Task 6 M2.............................................................................................................................................9
Task 7 D1............................................................................................................................................11
Task 8 P3.3......................................................................................................................................14
Investigation Activity......................................................................................................................14
Task 10 D3..........................................................................................................................................16
References...........................................................................................................................................19
1
Table of Contents
Task 1: P1.1...........................................................................................................................................2
Task 2 P1.2............................................................................................................................................3
Task 3 P1.3............................................................................................................................................5
Task 4 P2.1............................................................................................................................................6
Task 5 P2.2............................................................................................................................................7
Task 6 M2.............................................................................................................................................9
Task 7 D1............................................................................................................................................11
Task 8 P3.3......................................................................................................................................14
Investigation Activity......................................................................................................................14
Task 10 D3..........................................................................................................................................16
References...........................................................................................................................................19
1
Digital Forensics
Task 1: P1.1
Current Forensic Practice
Digital Forensics is a branch of forensic science that includes the process of investigations
and recovery from the digital devices, materials and data which is usually done to find
evidences in relation with the computer-related crimes.
There are numerous practices that this forensics practice makes use of in the current times.
Static Forensics & Analysis
Static digital forensics is a traditional method in which duplicates are examined to gain
evidence, such as copy of the hard disk drive to extract the memory contents comprising of
deleted files, login history, and likewise. The analysis of such data provides a complete or
partial view of the set of tasks performed on the system of the victim. There are multiple tools
that are used for the purpose of memory dumping, and sorting of evidentiary data. Many of
the external devices, such as USBs, CDs, DVDs, etc. are also used in this for the purpose of
investigation and analysis of the activities (Rafique, 2013).
Live Forensics & Analysis
Live forensics and analysis is a method that comprises of non-interactive analysis procedure
along with data snapshots including fresh data models and designing of the user-interface. In
this process, information collection is carried out followed by information analysis,
generation of reports without interfering with the functioning of the compromised system or
application. The process provides a clear picture of the details, such as processes running on
the system, memory dumps, networks connected to the system, open connections,
unencrypted versions of the files, and so on. Such information is not possible to capture in the
process of static forensics. The process provides the integrity and consistency of the data sets
involved and can provide a lot of evidence regarding the activities performed by the users on
the system that is compromised.
Defensive & Offensive Forensics
As the name suggests, defensive forensics comprises of the techniques that are used to protect
the cyber information and the users from the cyber-crimes. These techniques are executed to
screen the possibilities of the attacks and find evidences to put a check on the same. Some of
2
Task 1: P1.1
Current Forensic Practice
Digital Forensics is a branch of forensic science that includes the process of investigations
and recovery from the digital devices, materials and data which is usually done to find
evidences in relation with the computer-related crimes.
There are numerous practices that this forensics practice makes use of in the current times.
Static Forensics & Analysis
Static digital forensics is a traditional method in which duplicates are examined to gain
evidence, such as copy of the hard disk drive to extract the memory contents comprising of
deleted files, login history, and likewise. The analysis of such data provides a complete or
partial view of the set of tasks performed on the system of the victim. There are multiple tools
that are used for the purpose of memory dumping, and sorting of evidentiary data. Many of
the external devices, such as USBs, CDs, DVDs, etc. are also used in this for the purpose of
investigation and analysis of the activities (Rafique, 2013).
Live Forensics & Analysis
Live forensics and analysis is a method that comprises of non-interactive analysis procedure
along with data snapshots including fresh data models and designing of the user-interface. In
this process, information collection is carried out followed by information analysis,
generation of reports without interfering with the functioning of the compromised system or
application. The process provides a clear picture of the details, such as processes running on
the system, memory dumps, networks connected to the system, open connections,
unencrypted versions of the files, and so on. Such information is not possible to capture in the
process of static forensics. The process provides the integrity and consistency of the data sets
involved and can provide a lot of evidence regarding the activities performed by the users on
the system that is compromised.
Defensive & Offensive Forensics
As the name suggests, defensive forensics comprises of the techniques that are used to protect
the cyber information and the users from the cyber-crimes. These techniques are executed to
screen the possibilities of the attacks and find evidences to put a check on the same. Some of
2
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Digital Forensics
the methods under the defensive approach include email origin obfuscation, anonymizers,
shell & cloud accounts, borrowing Wi-Fi connections, web browser privacy modes, and
many others.
Offensive forensics is a n approach that is pro-active in nature and aims to attack the
malevolent entities by identifying their attack patterns and evidences associated with the
occurrences. Browser identification and IP Geolocation are some of the techniques under this
forensics approach (Du, 2017).
Legal & Illegal Forensics
The process of digital evidences and forensics must also adhere to the requisite legal policies
and scientific validity.
The scientific validity of the process can be confirmed by determined whether the forensics
tools, methods, and techniques have been tested or not. Also, it shall be identified whether the
peer reviews and publications have been carried out or not. The error rates, adherence to the
specified practices and standards along with the acceptance criteria shall also be evaluated to
determine the scientific validity of the process (Ryan, 2015).
The forensics processes that are found to have scientific validity, are carried out by the
approved experts and resources, and abide by the legal norms and principles are termed as the
legal forensics.
However, there are also various occurrences wherein such norms and guidelines are not
followed and complied. These are the scenarios which come under the category of illegal
forensics.
Task 2 P1.2
Potential Impact of Forensic Investigation
Forensic investigation is a critical procedure that shall be carried out only when it is
necessary and must be executed by a team of experts with appropriate tools and techniques.
There are scenarios wherein the business organizations have succeeded in gaining benefits
out of the investigation procedures by identifying and collecting the evidences in a cyber-
crime or a malicious activity. This has resulted in safeguarding the digital data and
3
the methods under the defensive approach include email origin obfuscation, anonymizers,
shell & cloud accounts, borrowing Wi-Fi connections, web browser privacy modes, and
many others.
Offensive forensics is a n approach that is pro-active in nature and aims to attack the
malevolent entities by identifying their attack patterns and evidences associated with the
occurrences. Browser identification and IP Geolocation are some of the techniques under this
forensics approach (Du, 2017).
Legal & Illegal Forensics
The process of digital evidences and forensics must also adhere to the requisite legal policies
and scientific validity.
The scientific validity of the process can be confirmed by determined whether the forensics
tools, methods, and techniques have been tested or not. Also, it shall be identified whether the
peer reviews and publications have been carried out or not. The error rates, adherence to the
specified practices and standards along with the acceptance criteria shall also be evaluated to
determine the scientific validity of the process (Ryan, 2015).
The forensics processes that are found to have scientific validity, are carried out by the
approved experts and resources, and abide by the legal norms and principles are termed as the
legal forensics.
However, there are also various occurrences wherein such norms and guidelines are not
followed and complied. These are the scenarios which come under the category of illegal
forensics.
Task 2 P1.2
Potential Impact of Forensic Investigation
Forensic investigation is a critical procedure that shall be carried out only when it is
necessary and must be executed by a team of experts with appropriate tools and techniques.
There are scenarios wherein the business organizations have succeeded in gaining benefits
out of the investigation procedures by identifying and collecting the evidences in a cyber-
crime or a malicious activity. This has resulted in safeguarding the digital data and
3
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Digital Forensics
applications to prevent and avoid similar cases in the future. However, the commercial and
social impacts of the process have been negative as well.
There are organizations that make use of unreliable forensics tools and illegal forensics
techniques that have led to financial losses and obligations for the organizations. When the
forensics activities and investigations are carried out, it becomes necessary to evaluate every
aspect of the business. This leads to the collection and investigation of the data sets
associated with all the internal and external stakeholders, customer data, and internal
information of the organization (Ismail, 2014). The investigation carried out by the experts is
usually not taken well by the external stakeholders and customers and the unsatisfactory
outcomes may impact the trust and faith in the organization in an adverse manner. The
process of forensics analysis and investigation may impact the functionality of the
compromised systems and applications. The business resources and executives may be
prevented from using the affected systems at the time of investigations which may impact the
business continuity. This may also provide the competitors with an opportunity to perform
better and gain competitive edge in the market. The brand image and corporate value may get
adversely implicated as a result.
The social impacts associated with the process of forensics investigations may also be
negative in nature for the organizations involved. The organizations may incur financial loss
and damages as the operational and business continuity may be impacted during the process
of investigations. The loss of trust and faith of the stakeholders and the customers in the
organization may bring down the organizational and asset value leading to poor revenues and
profits. The business resources may be prevented from using certain applications and systems
during the investigation procedures that may not be taken well by the resources in the
organization. The employee satisfaction levels may be poorly impacted as a result.
Information gathering and information collection is one of the most essential processes under
the activity of forensics investigations. The forensics teams may not be able to identify the
suitable sources of information which may lead to poor results. This may also impact the
business continuity and may lead to the generation of newer vulnerabilities in the system
providing the attackers with the ability to give shape to the security attacks.
The compromise of the information sets in the organization and exposure of private and
confidential information to the unauthorized entities time and again leads to loss of trust of
4
applications to prevent and avoid similar cases in the future. However, the commercial and
social impacts of the process have been negative as well.
There are organizations that make use of unreliable forensics tools and illegal forensics
techniques that have led to financial losses and obligations for the organizations. When the
forensics activities and investigations are carried out, it becomes necessary to evaluate every
aspect of the business. This leads to the collection and investigation of the data sets
associated with all the internal and external stakeholders, customer data, and internal
information of the organization (Ismail, 2014). The investigation carried out by the experts is
usually not taken well by the external stakeholders and customers and the unsatisfactory
outcomes may impact the trust and faith in the organization in an adverse manner. The
process of forensics analysis and investigation may impact the functionality of the
compromised systems and applications. The business resources and executives may be
prevented from using the affected systems at the time of investigations which may impact the
business continuity. This may also provide the competitors with an opportunity to perform
better and gain competitive edge in the market. The brand image and corporate value may get
adversely implicated as a result.
The social impacts associated with the process of forensics investigations may also be
negative in nature for the organizations involved. The organizations may incur financial loss
and damages as the operational and business continuity may be impacted during the process
of investigations. The loss of trust and faith of the stakeholders and the customers in the
organization may bring down the organizational and asset value leading to poor revenues and
profits. The business resources may be prevented from using certain applications and systems
during the investigation procedures that may not be taken well by the resources in the
organization. The employee satisfaction levels may be poorly impacted as a result.
Information gathering and information collection is one of the most essential processes under
the activity of forensics investigations. The forensics teams may not be able to identify the
suitable sources of information which may lead to poor results. This may also impact the
business continuity and may lead to the generation of newer vulnerabilities in the system
providing the attackers with the ability to give shape to the security attacks.
The compromise of the information sets in the organization and exposure of private and
confidential information to the unauthorized entities time and again leads to loss of trust of
4
Digital Forensics
the customers and the stakeholders along with poor brand image in the market (Dimpe,
2017).
Impact of Forensic Investigation – Cost, Reputation and Legal Implications
When a company faces a stringent and legal digital forensic investigation, then there are lot
of implications that the company must face. These range from implications related to the total
damages the company has to bear, the loss of reputation and the legal prosecution that the
company would face. Each of these are enumerated below:
Cost: The organization could sometimes suffer a minor financial loss pertaining to the cost of
investigation that has been carried out and the resulting effect on the day-to-day business
activities. Sometimes they could be enormous depending upon how long the investigation has
been undergone, the net loss in business revenue which is calculated on the basis of total loss
in sales during the period and the resulting expenses that has to be borne by the company
during and after the investigation and also the cost related to process, infrastructure and
program changes that would follow the investigation.
Reputation: The organization could sometimes face little to no loss of reputation depending
upon the seriousness of the matter and if the fault was of the organization or not. Also
depending upon the fact that if the investigation was made public. Sometimes an organization
may face serious implication, especially if the resulting investigation was carried out owing
to one of the company’s own negligence and faults. In this case, the larger and important the
organization is, the bigger the news it would make and the loss of reputation would
correspond to it.
Legal: In the case of legal implications, the organization could altogether face little to no and
to very serious implications depending upon the forensic investigation and the nature of the
crime. Generally, crimes where employee is at fault for instance carrying out an illegal
activity within the premises of the organization or stealing a data or carrying out a malicious
insider attack; in these cases, the legal implication has to be borne by the employee only. This
happens once the investigation proceeds has been submitted by the court of law and the court
acquits the culprit. In cases where the organization as a whole is at fault, then the entire
organization is represented in the court of law.
5
the customers and the stakeholders along with poor brand image in the market (Dimpe,
2017).
Impact of Forensic Investigation – Cost, Reputation and Legal Implications
When a company faces a stringent and legal digital forensic investigation, then there are lot
of implications that the company must face. These range from implications related to the total
damages the company has to bear, the loss of reputation and the legal prosecution that the
company would face. Each of these are enumerated below:
Cost: The organization could sometimes suffer a minor financial loss pertaining to the cost of
investigation that has been carried out and the resulting effect on the day-to-day business
activities. Sometimes they could be enormous depending upon how long the investigation has
been undergone, the net loss in business revenue which is calculated on the basis of total loss
in sales during the period and the resulting expenses that has to be borne by the company
during and after the investigation and also the cost related to process, infrastructure and
program changes that would follow the investigation.
Reputation: The organization could sometimes face little to no loss of reputation depending
upon the seriousness of the matter and if the fault was of the organization or not. Also
depending upon the fact that if the investigation was made public. Sometimes an organization
may face serious implication, especially if the resulting investigation was carried out owing
to one of the company’s own negligence and faults. In this case, the larger and important the
organization is, the bigger the news it would make and the loss of reputation would
correspond to it.
Legal: In the case of legal implications, the organization could altogether face little to no and
to very serious implications depending upon the forensic investigation and the nature of the
crime. Generally, crimes where employee is at fault for instance carrying out an illegal
activity within the premises of the organization or stealing a data or carrying out a malicious
insider attack; in these cases, the legal implication has to be borne by the employee only. This
happens once the investigation proceeds has been submitted by the court of law and the court
acquits the culprit. In cases where the organization as a whole is at fault, then the entire
organization is represented in the court of law.
5
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Digital Forensics
Task 3 P1.3
Motivation, Data Manipulation, and Malware
The motivation behind the security risks and attacks may come from a variety of different
reasons and motives. Financial gains and benefits have been observed at the primary reason
of motivation behind the occurrence of a security attack. In such cases, the malevolent
entities capture the data sets with intent to gain ransom from the data owners to prevent the
data misuse. The financial accounts of the victims may also be targeted directly as a result.
The other motivating factor behind the occurrence of a cyber-crime may be personal interests
and curiosity. These processes include the activities that aim at gaining maximum
information about a particular user or business organization. Target practicing is also one of
the terms that are used to describe the motivation of an attacker as the attacker may target
smaller companies initially before targeting the bigger one. There are certain cyber-crimes
that gain a lot of attention and popularity on social media and tele-media due to innovative
approach used in the attack patterns, compromise of sensitive data sets, targeting a big brand
in the market, and likewise. The popularity and fame that the attackers might achieve after
giving shape to the security risks and attacks may also act as a motivating factor for them.
Revenge against a fellow resource in the organization or a rival in the market is one of the
most common motivational factors behind the security risks and attacks. The occurrence of
cyber-crimes is negative for the business organizations that are impacted in terms of financial
loss, loss of reputation and customer trust. Such factors may act as motivation for the
attackers to bring down the brand image of an entity in the market.
There may also be political factors and state-sponsored attacks that may occur involving the
motivation as political gains and benefits. These are the occurrences that may have an impact
on the entire nation (Asal et al., 2016).
There are a number of data manipulation methods that may be used, such as steganography,
encryption, obfuscation, along with the use of automated tools. Steganography is the method
which is used to hide the data in a plain view. The message is concealed in the computer files
through the use of techniques as Least Significant Bits (LSB) (Attaby, Mursi Ahmed &
Alsammak, 2017). Encryption on the other hand is a method in which the text is converted to
its encrypted form which is known as cipher text which can be decrypted only by making use
of secret keys. Data Obfuscation is another data manipulation technique in which data sets
6
Task 3 P1.3
Motivation, Data Manipulation, and Malware
The motivation behind the security risks and attacks may come from a variety of different
reasons and motives. Financial gains and benefits have been observed at the primary reason
of motivation behind the occurrence of a security attack. In such cases, the malevolent
entities capture the data sets with intent to gain ransom from the data owners to prevent the
data misuse. The financial accounts of the victims may also be targeted directly as a result.
The other motivating factor behind the occurrence of a cyber-crime may be personal interests
and curiosity. These processes include the activities that aim at gaining maximum
information about a particular user or business organization. Target practicing is also one of
the terms that are used to describe the motivation of an attacker as the attacker may target
smaller companies initially before targeting the bigger one. There are certain cyber-crimes
that gain a lot of attention and popularity on social media and tele-media due to innovative
approach used in the attack patterns, compromise of sensitive data sets, targeting a big brand
in the market, and likewise. The popularity and fame that the attackers might achieve after
giving shape to the security risks and attacks may also act as a motivating factor for them.
Revenge against a fellow resource in the organization or a rival in the market is one of the
most common motivational factors behind the security risks and attacks. The occurrence of
cyber-crimes is negative for the business organizations that are impacted in terms of financial
loss, loss of reputation and customer trust. Such factors may act as motivation for the
attackers to bring down the brand image of an entity in the market.
There may also be political factors and state-sponsored attacks that may occur involving the
motivation as political gains and benefits. These are the occurrences that may have an impact
on the entire nation (Asal et al., 2016).
There are a number of data manipulation methods that may be used, such as steganography,
encryption, obfuscation, along with the use of automated tools. Steganography is the method
which is used to hide the data in a plain view. The message is concealed in the computer files
through the use of techniques as Least Significant Bits (LSB) (Attaby, Mursi Ahmed &
Alsammak, 2017). Encryption on the other hand is a method in which the text is converted to
its encrypted form which is known as cipher text which can be decrypted only by making use
of secret keys. Data Obfuscation is another data manipulation technique in which data sets
6
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Digital Forensics
are deliberately scrambled to prevent any of the unauthorized access on the same. These may
be classified as cryptographic and network security obfuscation methods. There are also
automated tools and applications that have been developed to carry out the task of data
manipulation.
Malware attacks are the most common forms of cyber-attacks that take place. There are a
number of malicious codes that have been developed, such as viruses, worms, logic bombs,
Trojan Horses, adware, spyware, ransomware, and many others. These malevolent codes may
or may not be reproducible in nature and may or may not require a trigger but have the
potential to cause severe impacts on the systems and applications they are injected in to. The
malicious entities have also developed keyloggers and unauthorized screen recorders that
capture all of the user activity. These logs are then misused to give shape to the security risks
and attacks.
Task 4 P2.1
Principles of Evidence Gathering
There are certain principles that are involved in the process of evidence gathering which have
been listed below.
The activities and actions performed by the law enforcement agencies along with the
resources engaged with these agencies must not manipulate or change the data which
may be used as evidence in the court.
In the scenarios wherein the access to the originally gathered data is essential, the
resources have expertise in the same shall be provided the access and the time,
purpose, and relevance of the action shall be documented for future reference.
There must be an audit train of the activities and actions carried out in the process of
investigations and evidence gathering shall be preserved. A third party shall be
contacted to carry out the same activities and the results achieved in the original
process and the repeated process must be similar.
The in-charge of the investigation must ensure that the adherence to the above
principles is always maintained.
Record-keeping is one of the essential processes in evidence gathering and investigations.
The systems logs of the infected and compromised systems and applications are one of the
7
are deliberately scrambled to prevent any of the unauthorized access on the same. These may
be classified as cryptographic and network security obfuscation methods. There are also
automated tools and applications that have been developed to carry out the task of data
manipulation.
Malware attacks are the most common forms of cyber-attacks that take place. There are a
number of malicious codes that have been developed, such as viruses, worms, logic bombs,
Trojan Horses, adware, spyware, ransomware, and many others. These malevolent codes may
or may not be reproducible in nature and may or may not require a trigger but have the
potential to cause severe impacts on the systems and applications they are injected in to. The
malicious entities have also developed keyloggers and unauthorized screen recorders that
capture all of the user activity. These logs are then misused to give shape to the security risks
and attacks.
Task 4 P2.1
Principles of Evidence Gathering
There are certain principles that are involved in the process of evidence gathering which have
been listed below.
The activities and actions performed by the law enforcement agencies along with the
resources engaged with these agencies must not manipulate or change the data which
may be used as evidence in the court.
In the scenarios wherein the access to the originally gathered data is essential, the
resources have expertise in the same shall be provided the access and the time,
purpose, and relevance of the action shall be documented for future reference.
There must be an audit train of the activities and actions carried out in the process of
investigations and evidence gathering shall be preserved. A third party shall be
contacted to carry out the same activities and the results achieved in the original
process and the repeated process must be similar.
The in-charge of the investigation must ensure that the adherence to the above
principles is always maintained.
Record-keeping is one of the essential processes in evidence gathering and investigations.
The systems logs of the infected and compromised systems and applications are one of the
7
Digital Forensics
basic and primary evidences that shall be captured and stored in a secure manner. It must be
ensured that there is no modification done in the system logs that are obtained and recorded.
The operating system images also prove to be significant evidences in the occurrence of a
cyber-attack. These shall also be recorded and securely stored (Gupta, 2018).
There are several information investigation processes that are executed so that the evidences
gathered are sufficient in the forensics and resolution of the cyber-attacks. One of the
significant processes adopted in information investigations is interviews. There are many
interviewers that may be involved in the panel and the comments and inputs by all the co-
interviewers shall be recorded and stored. The interview process shall be carried out in a
series of steps that shall involve the detection of the interviewees, preparation of the schedule
and interview questions, conduction of the interview, along with the analysis of the
responses. A corporate personnel management representative shall also be kept involved in
the entire procedure for disciplinary management and observations. The background checks
of the interviewers and interviewees shall also be included as a mandatory process. There
may be various criminal proceeding and civil actions that may be given shape ahead of the
interviews which must be done while maintaining adherence to all the regulations and
policies.
Task 5 P2.2
Evidence Gathering Practices & their Impacts
Some of the best practices that may be followed in the process of digital evidence gathering
have been listed below.
The crime scene and the digital devices involved shall be photographed
If the computer system is turned off, it shall not be turned on
If the computer system is turned on, the screen shall be photographed
Live data shall be collected starting with the RAM image followed by the network
logs, user logs and processes in execution on the systems
If there is hard disk encryption detection then the logical image of the disk shall be
captured using tools, such as Helix or F-response
The power cord of the computer systems and laptops shall be removed and the battery
shall also be taken out if the system does not shut down on its own
8
basic and primary evidences that shall be captured and stored in a secure manner. It must be
ensured that there is no modification done in the system logs that are obtained and recorded.
The operating system images also prove to be significant evidences in the occurrence of a
cyber-attack. These shall also be recorded and securely stored (Gupta, 2018).
There are several information investigation processes that are executed so that the evidences
gathered are sufficient in the forensics and resolution of the cyber-attacks. One of the
significant processes adopted in information investigations is interviews. There are many
interviewers that may be involved in the panel and the comments and inputs by all the co-
interviewers shall be recorded and stored. The interview process shall be carried out in a
series of steps that shall involve the detection of the interviewees, preparation of the schedule
and interview questions, conduction of the interview, along with the analysis of the
responses. A corporate personnel management representative shall also be kept involved in
the entire procedure for disciplinary management and observations. The background checks
of the interviewers and interviewees shall also be included as a mandatory process. There
may be various criminal proceeding and civil actions that may be given shape ahead of the
interviews which must be done while maintaining adherence to all the regulations and
policies.
Task 5 P2.2
Evidence Gathering Practices & their Impacts
Some of the best practices that may be followed in the process of digital evidence gathering
have been listed below.
The crime scene and the digital devices involved shall be photographed
If the computer system is turned off, it shall not be turned on
If the computer system is turned on, the screen shall be photographed
Live data shall be collected starting with the RAM image followed by the network
logs, user logs and processes in execution on the systems
If there is hard disk encryption detection then the logical image of the disk shall be
captured using tools, such as Helix or F-response
The power cord of the computer systems and laptops shall be removed and the battery
shall also be taken out if the system does not shut down on its own
8
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Digital Forensics
A graphical representation of all the cords shall be drawn along with the labelling of
the same
The model numbers and serial numbers of all the devices shall be noted down
All the cords and the devices must be disconnected from each other
Anti-static evidence bags shall be used to package all the components present on the
crime scene
The external and additional storage media devices shall also be seized and stored in
anti-static evidence bags
The entire set of activities shall be recorded and documented in a serial order
The evidence that is gathered from the crime scene shall be stored and kept secured and
protected by applying the security tools and methods. There may be a number of legislative
policies and rules that may apply on the evidence gathered and the same shall be complied
with at all times. The international legislations and jurisdictions shall also be followed. There
may be data sets that may be obtained belonging to the data owners from several parts of the
globe. These data sets shall be handled as per the applicable international jurisdiction on the
same (Divakaran, Fok, Nevat & Thing, 2017).
There may be a few challenges that may be associated with the process of evidence gathering.
The technology is changing at a rapid scale and the tools available for investigation
may involve the use of obsolete technology and may bring in compatibility issues.
There may be legal challenges involved with the change in legislative policies and
applicable jurisdictions.
The technological behaviour of the system and applications involved may also
change.
The ethical and professional codes may become difficult to be complied with.
These challenges may bring in commercial, social, legal and ethical impacts. The process of
evidence gathering and analysis may impact the functionality of the compromised systems
and applications. The business resources and executives may be prevented from using the
affected systems at the time of investigations which may impact the business continuity. This
may also provide the competitors with an opportunity to perform better and gain competitive
edge in the market.
9
A graphical representation of all the cords shall be drawn along with the labelling of
the same
The model numbers and serial numbers of all the devices shall be noted down
All the cords and the devices must be disconnected from each other
Anti-static evidence bags shall be used to package all the components present on the
crime scene
The external and additional storage media devices shall also be seized and stored in
anti-static evidence bags
The entire set of activities shall be recorded and documented in a serial order
The evidence that is gathered from the crime scene shall be stored and kept secured and
protected by applying the security tools and methods. There may be a number of legislative
policies and rules that may apply on the evidence gathered and the same shall be complied
with at all times. The international legislations and jurisdictions shall also be followed. There
may be data sets that may be obtained belonging to the data owners from several parts of the
globe. These data sets shall be handled as per the applicable international jurisdiction on the
same (Divakaran, Fok, Nevat & Thing, 2017).
There may be a few challenges that may be associated with the process of evidence gathering.
The technology is changing at a rapid scale and the tools available for investigation
may involve the use of obsolete technology and may bring in compatibility issues.
There may be legal challenges involved with the change in legislative policies and
applicable jurisdictions.
The technological behaviour of the system and applications involved may also
change.
The ethical and professional codes may become difficult to be complied with.
These challenges may bring in commercial, social, legal and ethical impacts. The process of
evidence gathering and analysis may impact the functionality of the compromised systems
and applications. The business resources and executives may be prevented from using the
affected systems at the time of investigations which may impact the business continuity. This
may also provide the competitors with an opportunity to perform better and gain competitive
edge in the market.
9
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Digital Forensics
Task 6 M2
Forensic Plan
Before starting a forensic investigation it is imperative to have a proper plan outlined so that
the investigation can be conducted effectively. This is regarded as a proactive measure of
investigation. In order to plan the forensic investigation effectively, the following steps needs
to be taken;
First and foremost, as a forensic investigator, one needs to gather all the available
information from the incident while also assessing the severity of the incident.
Second step is to investigate the overall impact of the investigation towards the SME
business that includes the network downtime, the loss of revenue to the business, the
duration of recovery and also the loss of confidential information.
The investigation would then be carried out to obtain all kinds of information from the
networks including the networking devices such as routers, hubs, and switches. Also,
the network administrator needs to help the investigators in understanding the
network topology documentation, the firewall, the computer servers and also the
network diagram.
The investigators would then need to identify all the external storage devices that are
used within the office premises including external hard disk drives, CD DVD drives,
pen drives, and memory cards among others.
Once this is done, the next step would be identify the forensic software being used for
the investigation.
Once the forensic tools have been identified the next step would be to capture live
traffic for all suspicious activities on the network traffic.
Simultaneously, the investigation would be carried on the computers, hard disk drives
and other storage mediums in order to find pieces of evidence.
While the investigation is being carried documentation would also needs to be done
simultaneously to document all the activities as well as the evidences being extracted.
Based on the documentation, a report would be created that presents all the activities,
evidences, findings and analysis covering the entire incident
Forensic tool comparison
10
Task 6 M2
Forensic Plan
Before starting a forensic investigation it is imperative to have a proper plan outlined so that
the investigation can be conducted effectively. This is regarded as a proactive measure of
investigation. In order to plan the forensic investigation effectively, the following steps needs
to be taken;
First and foremost, as a forensic investigator, one needs to gather all the available
information from the incident while also assessing the severity of the incident.
Second step is to investigate the overall impact of the investigation towards the SME
business that includes the network downtime, the loss of revenue to the business, the
duration of recovery and also the loss of confidential information.
The investigation would then be carried out to obtain all kinds of information from the
networks including the networking devices such as routers, hubs, and switches. Also,
the network administrator needs to help the investigators in understanding the
network topology documentation, the firewall, the computer servers and also the
network diagram.
The investigators would then need to identify all the external storage devices that are
used within the office premises including external hard disk drives, CD DVD drives,
pen drives, and memory cards among others.
Once this is done, the next step would be identify the forensic software being used for
the investigation.
Once the forensic tools have been identified the next step would be to capture live
traffic for all suspicious activities on the network traffic.
Simultaneously, the investigation would be carried on the computers, hard disk drives
and other storage mediums in order to find pieces of evidence.
While the investigation is being carried documentation would also needs to be done
simultaneously to document all the activities as well as the evidences being extracted.
Based on the documentation, a report would be created that presents all the activities,
evidences, findings and analysis covering the entire incident
Forensic tool comparison
10
Digital Forensics
The forensic tools being compared below are among the most popular and renowned tools
being used in the forensic investigation domain today. These three tools are Encase by
Guidance Software, Forensics/XWF by X-Ways and Autopsy. The last one is however not a
tool but a combination of a multitude forensic tools. Encase is known for it’s easy to use
interface that has a small learning curve. Encase is also perhaps the most popular tool among
forensic investigators and is accepted in the court of law. Encase features easier and full-
fledged reporting capabilities as well as a built-in image acquisition tool for making a bit-by-
bit copy. Encase supports an in-built support for Bitlocker and has an extra ordinary feature
called ‘Review package’ allows the investigator to send the evidence to a requestor for
reviewing the evidence. However on the down-side it is rather expensive and its evidence
processing is slow and cumbersome. The next tool in question is the XWF. XWF strong
points are its extremely customizable evidence processing capabilities. One can select
precisely exactly what ones want’s to process such as emails or registry etc. It is highly
flexible and has granular options for filtration. A forensic tool must have a good searching
capability and this is also where XWF shines because of its highly customizable search
functions. XWF can also run multiple instances of itself all working on different parts of the
investigation such as one instance can be doing ‘processing’, while other could just be
‘searching’ or performing ‘live preview’. Another least talk about feature of XWF is the
frequency of updates. However with such great features and extensive customizability, XWF
loses on the simplicity. XWF is a rather complicated tool to begin with a complicated
interface. This is why it has a much steeper learning curve. Sometimes, XWF can be too
overwhelming and gets confusing. XWF also does not feature a ‘Review Package’ and does
not also support Bitlocker. Lastly, Autopsy is not a singular forensic tool in a complete sense
rather a VMWare instance with a multitude forensic tools. Autopsy’s greatest strength is that
it’s free for commercial use. The tools in Autopsy for analysis of browser history or internet
based activities are quite fast and easy to use. However on the flip side, the overall
capabilities of Autopsy is that it is limited and it also does not support bitlocker, neither it
supports the ‘Review Package’.
11
The forensic tools being compared below are among the most popular and renowned tools
being used in the forensic investigation domain today. These three tools are Encase by
Guidance Software, Forensics/XWF by X-Ways and Autopsy. The last one is however not a
tool but a combination of a multitude forensic tools. Encase is known for it’s easy to use
interface that has a small learning curve. Encase is also perhaps the most popular tool among
forensic investigators and is accepted in the court of law. Encase features easier and full-
fledged reporting capabilities as well as a built-in image acquisition tool for making a bit-by-
bit copy. Encase supports an in-built support for Bitlocker and has an extra ordinary feature
called ‘Review package’ allows the investigator to send the evidence to a requestor for
reviewing the evidence. However on the down-side it is rather expensive and its evidence
processing is slow and cumbersome. The next tool in question is the XWF. XWF strong
points are its extremely customizable evidence processing capabilities. One can select
precisely exactly what ones want’s to process such as emails or registry etc. It is highly
flexible and has granular options for filtration. A forensic tool must have a good searching
capability and this is also where XWF shines because of its highly customizable search
functions. XWF can also run multiple instances of itself all working on different parts of the
investigation such as one instance can be doing ‘processing’, while other could just be
‘searching’ or performing ‘live preview’. Another least talk about feature of XWF is the
frequency of updates. However with such great features and extensive customizability, XWF
loses on the simplicity. XWF is a rather complicated tool to begin with a complicated
interface. This is why it has a much steeper learning curve. Sometimes, XWF can be too
overwhelming and gets confusing. XWF also does not feature a ‘Review Package’ and does
not also support Bitlocker. Lastly, Autopsy is not a singular forensic tool in a complete sense
rather a VMWare instance with a multitude forensic tools. Autopsy’s greatest strength is that
it’s free for commercial use. The tools in Autopsy for analysis of browser history or internet
based activities are quite fast and easy to use. However on the flip side, the overall
capabilities of Autopsy is that it is limited and it also does not support bitlocker, neither it
supports the ‘Review Package’.
11
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 22
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.