Scribd Logo
Upload

Welcome to Scribd!

  • Lesson 5 Investigative Plan Compressed

    Uploaded by

    John Lester Suarez
    19 views40 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views40 pages

    Lesson 5 Investigative Plan Compressed

    Uploaded by

    John Lester Suarez

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 40

    DIGITAL

    INVESTIGATIV
    E PLAN
    LESSON FIVE
    TOPICS:
    Warrant preparation and preservation request

    Preservation request

    Intelligence gathering
    Basic concept of digital Digital forensic process
    investigative process Assembling investigative team

    Planning the search

    Photographing the incident scene

    Processing the electronic crime scene

    Chain of custody
    PNP – ACG Five-step Digital investigative
    Forensic Model planning Marking evidence

    Transportation of evidence
    TOPIC OBJECTIVES:
    Summarize Summarize the digital investigative process used by the PNP-
    ACG.

    Discuss Discuss stages of the digital investigative planning process.

    Discuss Discuss the significance of preservation requests in


    cybercrime investigation.

    Discuss Discuss the steps in the conduct of the digital investigative


    process
    DIGITAL FORENSIC
    PROCESS
    METHODOLOGICAL MODELS OF DFP

    Kruse and Heisser Model

    Yale University Model

    Rodney McKemmish Model

    Five Step Model


    KRUSE AND HEISSER MODEL

    ACQUIRE AUTHENTICATIO ANALYZ


    N
    E
    YALE UNIVERSITY MODEL

    PRESERVATION, CLASSIFICATION,
    PRELIMINARY
    PLANNING RECOGNITION AND COMPARISON, and
    CONSIDERATIO
    DOCUMENTATION INDIVIDUALIZATIO
    N
    N
    RODNEY McKEMMISH MODEL

    IDENTIFICATION PRESERVATION ANALYZE PRESENTATION


    FIVE STEP MODEL

    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING COURT PRESENTATION


    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING COURT PRESENTATION

    • This step involves identifying what type of storage


    media and what data or information could be
    recovered relative to the investigation or case.
    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING COURT PRESENTATION
    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING COURT PRESENTATION

    • Physically or remotely obtaining possession of the computer data from


    the original digital storage media through a digital forensic imaging
    process.

    • Imaging is the second phase and requires forensically-


    sound procedures and validated tools.

    • This should be processed by a trained digital forensic examiner using


    validated hardware and software tools.
    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING COURT PRESENTATION

    Hardware-Base Imaging Tools:

    • Write blocker (physical bridge)


    • Stand-alone imaging device (a multifunction
    tool with dedicated forensic capabilities)

    PROTECTING DATA INTEGRITY IS


    THE TOP PRIORITY!
    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING COURT PRESENTATION

    • Software-Base Imaging Tools:

    • Write-blocker: Specialized application

    • Forensic Imager: Multi-function tools that


    assist with hard drive preparation and
    duplication, forensic imaging, and verification

    PROTECTING DATA INTEGRITY IS


    THE TOP PRIORITY!
    STEPS OF DIGITAL FORENSICS:
    - Preparation of Destination Storage Media
    Verif Verify size requirements of original evidence
    y

    Select Select storage media that meets or exceeds capacity of source

    Sterilize Sterilize destination media through the wiping process

    Format Format storage media


    STEPS OF DIGITAL FORENSICS:
    - Verification of Forensic Image
    HASH

    Is a mathematical algorithm
    Produces a unique digital fingerprint
    Verifies that binary content of an acquired forensic image is exactly the
    same as the source media

    MD5 = ABC123 MD5 = ABC123


    EXAMINATION/AN
    IDENTIFICATION ACQUISITION REPORTING COURT PRESENTATION
    ALYSIS

    • Evaluating the information or data recovered from the storage media


    evidence to determine if and how it could be used against the
    suspect.
    EXAMINATION/AN
    IDENTIFICATION ACQUISITION REPORTING COURT PRESENTATION
    ALYSIS
    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING COURT PRESENTATION

    • Once the analysis is complete, a report is generated. This report may


    be a written report, oral testimony, or some combination of the two.
    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING COURT PRESENTATION
    COURT
    IDENTIFICATION ACQUISITION EXAMINATION/ANALYSIS REPORTING
    PRESENTATIO
    N

    • This step involves the


    presentation of evidence
    discovered, in a manner that is
    understood by lawyers, non-
    technical staff/management,
    and suitable as evidence as
    determined by the rules on
    electronic or
    evidence related law. any
    COMMON PIECES OF
    EVIDENCE RECOVERED
    DOCUMENTS (CONTRACTS, IDS,
    ETC)
    PICTURES AND VIDEOS
    WEB-MAIL
    CACHE
    INSTANT MESSANGING CHAT
    CONVERSATIONS
    TEMPORARY INTERNET FILES
    DIGITAL INVESTIGATIVE
    PLANNING
    Pre-search Phase Intelligence Gathering

    Assembling Investigation
    Planning the Search
    Team
    A. PRE-SEARCH
    ACTIVITIES
    WARRANT PREPARATION
    PRESERVATION REQUEST

    As provided in section 2, title 1, article 29 – Expedited preservation of stored


    computer data.

    1. A Party may request another Party to order or otherwise obtain the


    expeditious preservation of data stored by means of a computer system, located
    within the territory of that other Party and in respect of which the requesting
    Party intends to submit a request for mutual assistance for the search or similar
    access, seizure or similar securing, or disclosure of the data.
    2. A request for preservation made under paragraph 1 shall specify:

    the authority seeking the preservation

    the offense that is the subject of a criminal investigation or proceedings and a brief summary of the
    related facts

    the stored computer data to be preserved and its relationship to the offense

    any available information identifying the custodian of the stored computer data or the location of the
    computer system

    the necessity of the preservation; and

    that the Party intends to submit a request for mutual assistance for the search or similar access, seizure
    or similar securing, or disclosure of the stored computer data
    3. upon receiving the request from another Party, the
    requested Party shall take all appropriate measures to
    preserve expeditiously the specified data in
    accordance with its domestic law.
    For the purposes of responding to a request, dual
    criminality shall not be required as a condition for
    providing such preservation (Council of Europe, 2001).
    B. INTELLIGENCE GATHERING
    C. ASSEMBLING THE INVESTIGATION TEAM

    4. Exhibits
    1. General Lead 2. Searchers Officer (Evidence
    3. Seizure Officer
    Investigator (Seizing Officer) Custodian
    )

    6. Digital 7. Scene Security


    5. Photographer
    Investigato Team
    r
    D. PLANNING THE SEARCH

    Execute the Warrant

    Secure the Scene

    Evidence Documentation, Collection and Preservation


    • -Photographing the Incident Scene
    • -Processing Electronic Crime Scene
    • -Chain of Custody
    • - Marking of Evidence

    Transportation of Evidence

    You might also like