< All Computer Hacking and Forensics Notes

kmartin84 | Computer and Hacking Forensics | Module 2 - Investigative Process

By: kmartin84 | Related Course: Computer Hacking and Forensics | Published: April 3, 2018 | Modified: April 3, 2018
Join Cybrary

NotepadInvestigative process


18 USC:

   1361 – Malicious mischief

   1027 – Fraud Access Devices

   1030 – Fraud -computers


  402:  Admissibility of evidence

   901:  ID and authentication

   608:  Conduct of witness

   609:  Impeachment of evidence

   502:  Attorney/client privilege

   614:  Interrogation of witness

   701:  Opinion testimony

   705:  Disclosure of facts

   1002:  Requirement of original and

   1003:  Admissibility of duplicates

1986   Electronic Communication Privacy Act (ECPA)

2001  USA Patriot Act

1980  Privacy Protection Act and

           Cable Communication Policy Act

Reiterate  Big Picture Process: 

Assess, Acquire, Analyze, Management process, Report, Court


   Build Workstation

         -Hardware – forensic specific hardware requirements

         – Integrity – snapshot of evidence

         – Date and time – recording on forms

         – Deleted files

         – Removable Media

         – Analyze Drive

   Build a Team:  Roles and Responsibilities:

           – Attorney


           – Analyst/analyzer

           – Scribe/documentor to document evidence

           – IR  Incident Responder/Incident handler/First responder

            – Expert Witness for court



Search warrant – can be for entire company or one particular device (scope of warrant)

Secure the scene – photograph, label, forms (dates, times, volatile/non and 5 w’s (what where when why how)

Collect evidence – media, cables, peripherals, trash, memories, hard drives, dvd’s, etc

Secure evidence – make sure it is admissible (chain of custody and management of evidence)

Acquire Data – Image integrity, method digest or bit-by-bit copies

Analyze (tools) – file systems, using software sometimes open source like FTK or general recovery software (must adhere to industry best practices)

Document and Report 

As part of the investigative process, meet with incident response/incident handling team, consultants, third party or get law enforcement involved (if le involved, they run the show with their own procedures).





< All Computer Hacking and Forensics Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?