Process Summary

Computer Hacking Forensic Investigator

Pre-Investigation Phase Investigation Phase 5. Data analysis

In this phase, you will need to prepare the environment for This is a real-life situation where your customer requires your super expertise a. Timeline analysis
forensic laboratory properly. It includes: to conduct a digital forensic effort. When it comes to real situation, remember b. Deleted evidence recovery (reconstruction)
these processes: c. Focus on root couse of the incident:
1. Planning and budgeting i. OS (FTK, Autopsy, SleuthKit)
a. Case type, scope-of-Work 1. Documenting evidences ii. Memory (volatility, Redline)
b. Equipment and software budgeting a. Make photography: Do this to entire crime scene even to all iii. Network (Wireshark)
small details iv. Web (Web server log)
2. Physical and structural design requirement b. Record evidence detail v. Database (APEX SQL, DB Browser)
a. Laboratory size vi. Cloud
b. Physical space 2. Search and seizure vii. E-mail
c. Heating, ventilation, and air a. Do you need search warrant? (It depends on nature of the viii. Mobile (Oxygen, Cellebrite)
conditioning case) ix. Malware (Cuckoo Sandbox, IDA,
b. Seizure of the evidence OllyDBG)
3. Working area requirement i. Powered-on system procedure
a. Ambience level ii. Powered-off system procedure 6. Case Analysis
b. Network connection iii. Networked system a. Possibility of exploring additional evidences
c. Power and electricity c. Shutdown procedures b. Acquire bigger picture aside from evidence
i. Windows: unplug power cord i. Social media
4. Physical securities ii. Linux, Mac: gracefull shutdown ii. Internet Service Provider
a. Digital sign-in iii. Network connections
b. Fire suppression 3. Evidence Preservation
c. Surveillance system a. Chain of custody documents
b. Transporting and storing Post-Investigation Phase
5. Human Resource i. Consider humidity
Once you obtain proper result and have your documentations
a. Key personnel ii. Consider extreme temperature
ready, then you do:
b. Training and certification iii. Consider electromagnetic sensitivity
iv. How to block signals from evidence
1. Reporting
6. Licensing
a. Prepare a methodology
a. ISO/IEC 17025 4. Data acquisition
b. Attached important evidence
a. Cloning (physical-to-physical) or Imaging (physical-to-file)?
c. Progressively complex writing
i. Raw format
d. Consider local laws
ii. Proprietary format
iii. Open-source format
2. Testifying
b. Create at least 2 clones or images
a. Expert witness
i. Working copy
ii. Reference copy
iii. Remember: Analysis to original evidence is
prohibited
C. Integrity checking (hash compare)