22/05450 TALIA SIMIYU

BISF 2204: COMPUTER FORENSICS

Class Task 1: Page 33-70 SUMMARY
INFORMATION SECURITY: GUIDE TO COMPUTER FORENSICS
AND INVESTIGATIONS

Understanding the Digital Forensics Profession and Investigations

An Overview of Digital Forensics
➢ As the world becomes more level, the need for standardization in digital
forensics processes has become more urgent.
➢ Digital forensics involves securing and analyzing digital information
stored on computers for use as evidence in civil, criminal, or
administrative cases. It includes research, incident response, and research
in digital forensics.
➢ Digital forensics certifications have been created for specific categories
of practitioners, such as government investigators, to address the global
need for standardized methods for sharing and using digital evidence.
➢ In 2012, the International Organization for Standardization (ISO) ratified
a standard for digital forensics, ISO 27037, which defines personnel and
methods for acquiring and preserving digital evidence.
➢ The Federal Rules of Evidence (FRE) and the FBI Computer Analysis
and Response Team (CART) were formed to standardize procedures in
handling digital evidence cases.
➢ Court cases have clarified how these rules apply to digital evidence, and
the Fourth Amendment to the U.S. Constitution protects individuals'
rights from search and seizure.
➢ However, investigators often include the suspect's computer and its
components in search warrants to avoid admissibility issues.

Digital Forensics and Other Related Disciplines

➢ Digital forensics is a field that involves scientifically examining and
analyzing data from computer storage media to use it as evidence in
court.
➢ It involves the application of science to the identification, collection,
examination, and analysis of data while preserving the integrity of the
information and maintaining a strict chain of custody.
➢ Digital forensics examines data that can be retrieved from a computer's
hard drive or other storage media, such as laptops or smartphones.
➢ It differs from data recovery, which involves retrieving information that
was deleted by mistake or lost during a power surge or server crash.
 ➢ Digital forensics examiners often work as part of a team to secure an
organization's computers and networks, and the digital investigation
function can be viewed as part of a triad that makes up computing
security.
➢ The investigations triad includes threat assessment and risk management,
network intrusion detection and incident response, and digital
investigations.
Figure 1.1 the investigation triad

network Intrusion Detection

and Incident Response

Vulnerability/Threat Assessment and

Risk Management

6
Digital Investigations
Digital Forensics Profession and Investigations

• The digital investigation triad represents three groups or departments responsible for
performing tasks.
• These groups work together to address all aspects of a digital technology investigation
without involving outside specialists.
• In smaller companies, one group might perform all tasks or contract with service providers.

Vulnerability/Threat Assessment and Risk Management

• This group tests and verifies the integrity of stand-alone workstations and network servers.
• Penetration testers test for vulnerabilities of OSs and applications used in the network.
• They conduct authorized attacks on the network to assess vulnerabilities.

Network Intrusion Detection and Incident Response

• This group detects intruder attacks using automated tools and monitors network firewall
logs.
• The response team tracks, locates, and identifies the intrusion method and denies further
access to the network.
• If an intruder launches an attack that causes damage or potential damage, the team collects
evidence for civil or criminal litigation.
• If an internal user is engaged in illegal acts or policy violations, the group might assist in
locating the user.

Digital Investigations Group

• Manages investigations and conducts forensics analysis of systems suspected of containing
evidence related to an incident or a crime.
• For complex casework, the group draws on resources from personnel in vulnerability
assessment, risk management, and network intrusion detection and incident response.

A Brief History of Digital Forensics

 ➢ Computer technology has become a common part of everyday life, and
electronic crimes, such as the one-half cent crime, have increased in the
financial sector since the 1970s.
➢ Mainframe computers were used by specialized professionals in finance,
engineering, and academia, leading to white-collar fraud.
➢ Law enforcement officers were not well-versed in handling digital data,
leading to the creation of Federal Law Enforcement Training Center
(FLETC) programs.
➢ As PCs replaced mainframe computers in the 1980s, various operating
systems emerged, including Apple IIe, Macintosh, TRS-80, Commodore
64, Kaypro, and Zenith. CP/M machines like Kaypro and Zenith were
also in high demand.

➢ Disk Operating System (DOS) was a popular choice for forensics tools
during the 1980s, with various versions including PC-DOS, QDOS, DR-
DOS, IBM-DOS, and MS-DOS.

➢ These tools were primarily created by government agencies like the

RCMP and the U.S. Internal Revenue Service. Most tools were written in
C and assembly language and were not accessible to the general public.
In the mid-1980s, Xtree Gold and Norton DiskEdit emerged as tools for
recognizing file types and retrieving lost or deleted files.

➢ These tools were compatible with powerful PCs, such as IBM-compatible

computers with hard disks of 10 to 40 MB and two floppy drives. Apple's
Mac SE, released in 1987, represented an important advancement in
computer technology.
➢ In the early 1990s, digital forensics tools were developed by the
International Association of Computer Investigative Specialists (IACIS)
and the IRS.
➢ ASR Data created Expert Witness for Macintosh, which could recover
deleted files and fragments.
➢ As computer technology evolved, more software was developed,
including ILook, which analyzes and reads special files, and AccessData
Forensic Toolkit (FTK), which performs similar tasks in law enforcement
and civilian markets. Software companies are producing more tools to
keep pace with technology.
Understanding Case Law
• Case law is used when existing laws fail to keep up with technological
changes, allowing legal counsel to apply previous cases to current ones.
Examiners must be familiar with recent court rulings on electronic search
and seizure to avoid mistakes. Technology has changed everyday events,
affecting private conversations and device protection. Law enforcement
 can confiscate devices, but they don't necessarily have the authority to
search them.
Developing Digital Forensics Resources
Essentials to be a successful digital forensics investigator:

• Familiarity with multiple computing platforms is crucial for successful digital

forensics investigators.
• Older platforms like DOS, Windows 9x, and Windows XP, Linux, macOS,
and current Windows 10 platforms are also important.
• Expertise in various aspects of computing and technology is not universally
available.
• To supplement knowledge, digital, network, and investigative professionals
should be maintained.
• Joining computer user groups can provide valuable insights into complex
technical areas.
• User groups can be especially helpful when information about obscure
operating systems (OSs) is needed.
• External experts can provide detailed information needed to retrieve digital
evidence.
• For instance, a Macintosh engineer could determine the two software
programs used to compress the hard drive, enabling the retrieval of information
from the hard drive, including text files indicating the husband's illicit activities.
11
Preparing for Digital Investigations
Digital investigations they fall into two categories: public-sector investigations
and private-sector investigation
Public-Sector Investigations
• Involves government agencies responsible for criminal investigations and
prosecution.
• Observes legal guidelines like Article 8 in the Charter of Rights of Canada and
the Fourth Amendment to the U.S. Constitution.
• Involves monitoring computer search and seizure laws.

Private-Sector Investigations
• Focuses on policy violations like non-compliance with HIPAA regulations.
• Can also involve criminal acts like corporate espionage.
• Can start as civil cases but can develop into criminal cases.
• Evidence found in investigations can transition between civil and criminal
cases.
Understanding Law Enforcement Agency Investigations
➢ Understanding laws on computer-related crimes is crucial in public-sector
investigations.
 ➢ Questions to determine if a computer crime occurred include the tool
used, whether it was a trespass, theft, vandalism, or infringement on
someone else's rights.
➢ Laws vary by jurisdiction, with EU privacy laws being more stringent
than U.S. privacy laws.
➢ Internal company investigations can involve laws of multiple countries,
as companies consolidate into global entities.
➢ States have added specific language to criminal codes to define crimes
involving computers.
➢ States have expanded the definition of laws for crimes such as theft to
include taking data from a computer without the owner’s permission.
Many serious crimes involve computers, smartphones, and other digital
devices, including sexual exploitation of minors, missing children and
adults, drug dealers, car theft rings, and other criminals.
Following Legal Processes
Computer Investigation for Criminal Violations

• The legal process for computer investigations for potential criminal violations
depends on local custom, legislative standards, and rules of evidence.
• A criminal case follows three stages: complaint, investigation, and
prosecution.
• A complaint is filed, followed by a specialist investigating the complaint and a
prosecutor building a case.
• The investigation begins when evidence of an illegal act is found or witnesses
an illegal act.
• The police officer interviews the complainant and writes a crime report.
• The law enforcement agency processes the report, and management decides to
start an investigation or log the information into a police blotter.
• Police officers are not always computer experts, but some are trained to
recognize what they can retrieve from a computer disk.
• ISO standard 27037 defines two categories of officers: Digital Evidence First
Responder (Skills and Training) and Digital Evidence Specialist (Skills) to
differentiate training and experience.
• The scope of the case, including the device’s OS, hardware, and peripheral
devices, is assessed.
• The information is turned over to the prosecutor, who presents the collected
evidence with a report to the government’s attorney.
• If sufficient cause to support a search warrant is found, an affidavit
(declaration) is submitted to a judge with the request for a search warrant before
seizing evidence.

Understanding Private-Sector Investigations

Private-Sector Investigations Overview
 ➢ Involves private companies and lawyers investigating policy violations
and litigation disputes.
➢ Business operations must be uninterrupted during investigations.
➢ Investigation and apprehension of suspects are secondary to preventing
violations and minimizing business damage.
➢ Businesses aim to minimize or eliminate litigation to address criminal or
civil issues.
➢ Private-sector computer crimes include email harassment, gender and
age discrimination, white-collar crimes, and industrial espionage.
➢ These crimes can be committed by anyone with access to a computer.

Establishing Company Policies

• Publish and maintain clear policies for easy understanding and compliance.
• These policies can facilitate smoother internal investigations.
• The most crucial policies are "acceptable use policies" defining rules for using
company's computers and networks.
• These policies provide a line of authority for conducting internal
investigations, outlining who has the legal right to initiate an investigation, who
can take possession of evidence, and who can have access to evidence.
• Well-defined policies give computer investigators and forensics examiners the
authority to conduct an investigation.
• Policies demonstrate fairness and objective treatment of employees and ensure
due process for all investigations.
• Regular training and updates on standards and policies are necessary to keep
employees informed.
Displaying Warning Banners
Digital Forensics Profession and Investigations

• Organizations can avoid litigation by displaying a warning banner on

computer screens.
• The banner informs end users that the organization has the right to inspect
computer systems and network traffic at will.
• Without explicit permission, employees might assume a right of privacy when
using a company's computer systems and network accesses.
• A strong warning banner can prevent the need for a search warrant or court
order under the Fourth Amendment search-and-seizure rules.
• The right to inspect or search at will applies to both criminal activity and
company policy violations.
• The organization's legal department should be consulted before using these
warnings.
• The text can be used in internal warning banners depending on the type of
organization.
Understanding Digital Forensics and Privacy Policies

• System and network use is for official business only.

• Systems and networks are subject to monitoring by the owner.
• Using the system implies consent to monitoring by the owner.
• Unauthorized or illegal users of the system or network will be disciplined or
prosecuted.
• Users agree that they have no expectation of privacy relating to all activity
performed on the system.

Warning Banners in Digital Forensics

• The DOJ document at
www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf provides
examples of warning banners.
• Private-sector digital investigators should ensure a company displays a clearly
worded warning banner.
• State laws vary on the expectation of privacy, but all states accept the concept
of a waiver of the expectation of privacy.
• The EU and its member nations impose substantial penalties for personal
information that crosses national boundaries without the person’s consent.

Role of Warning Banners in Prosecution

• Warning banners have been critical in determining that a user didn’t have an
expectation of privacy for information stored on the system.
• Warning banners are easier to present in trial as an exhibit than a policy
manual.
• Government agencies, public libraries, and many corporations now require
warning banners on all computer terminals on their systems.
Designating an Authorized Requester
Computer Investigation Authority Establishment
• Establish a line of authority for computer investigations.
• Use warning banners to state company's rights of computer ownership.
• Specify an authorized requester for investigations.
• Define a policy to avoid conflicts from competing interests.
• Limit who can request computer investigations and forensics analysis.
• Ensure fewer groups have authority to request a computer investigation.
• Groups with authority include corporate security investigations, corporate
ethics office, corporate equal employment opportunity office, internal auditing,
and general counsel or legal department.
• Coordinate requests through the corporate process of employee discipline.
Conducting Security Investigations
Digital Investigations in the Private Sector
• Digital investigations in the private sector are similar to public investigations,
focusing on evidence supporting allegations of company rules violations or
asset attacks.
• Common situations include misuse of digital assets, email abuse, and internet
abuse.
• Email abuse can range from excessive use of a company's email system for
personal use to making threats or harassing others via email.
• Internet abuse involves employees' abuse of Internet privileges, from
excessive use to viewing illegal pornographic images.
• Digital investigators must handle these situations with professionalism and
notify law enforcement.
• The scope of an e-mail investigation ranges from personal use to transmitting
offensive messages, potentially leading to a hostile work environment and a
civil lawsuit against the company.
Digital Forensics Profession and Investigations

• Digital forensics examiners provide management personnel with complete and

accurate information to verify and correct abuse problems within an
organization.
• Investigations related to internal abuse can have criminal or civil liability.
• All evidence collected must be treated with the highest level of security and
accountability.
• The Federal Rules of Evidence are the same for civil and criminal matters.
• The silver-platter doctrine allowed a civilian or private-sector investigative
agent to deliver evidence that violated the Fourth Amendment to a law
enforcement agency.
• Private-sector investigators become agents of law enforcement, subject to the
same restrictions on search and seizure as a law enforcement agent.
• The rules controlling the use of evidence collected by private citizens vary by
jurisdiction.
• Litigation is costly, and after assembling evidence, offending employees are
usually disciplined.
• If a criminal act involving a third-party victim has been committed, the
investigator might have a legal and moral obligation to turn the information
over to law enforcement.
Distinguishing Personal and Company Property
Company policies often differentiate between personal and company computer
property, but this distinction can be challenging with personal devices like cell
phones, smartphones, and tablets. When employees synchronize information on
their devices with company network data, questions arise about whether the
information belongs to the company or the employee. This issue is particularly
relevant in the Bring Your Own Device (BYOD) environment, where
companies must address the issue of personal devices accessing company
networks.
21
Maintaining Professional Conduct
➢ Digital investigators must exhibit high-quality professional conduct to
maintain their credibility.
➢ This includes maintaining objectivity and confidentiality, expanding
technical knowledge, and maintaining integrity.
➢ Objectivity involves forming opinions based on education, training,
experience, and evidence, and avoiding bias.
➢ Confidentiality is crucial in investigations, especially when dealing with
terminated employees or when a case may become criminal. In private-
sector environments, confidentiality is especially important, as it can lead
to breach of contract and damage the case.

➢ Continuing professional training is essential in the field of digital

investigations and forensics.
➢ Staying current with the latest technical changes in computer hardware,
software, networking, and forensic tools is essential.
➢ Attending workshops, conferences, and vendor courses can help stay
updated on investigation techniques. Additionally, pursuing certifications
can enhance professional standing. Having an undergraduate degree in
computing or a related field can also improve one's professional standing.
Overall, maintaining objectivity, confidentiality, and professional conduct
is crucial for a digital investigator's reputation and success.
Preparing a Digital Forensics Investigation
A digital forensics professional gathers data from a suspect's computer to
determine evidence of a crime or violation of company policies or regulations.
They prepare a case, document the chain of custody, and preserve evidence.
An Overview of a Computer Crime
Digital Forensics in Law Enforcement

• Law enforcement officers often find computers, smartphones, and other

devices during investigations.
• These devices can contain information that aids in determining the chain of
events leading to a crime or providing evidence that is more likely to lead to a
conviction.
• An example of a case where computers were involved in a crime is a raid on a
suspected drug dealer's home.
• The lead detective examines the computer and cell phone to find and organize
data that could be evidence of a crime.
• The acquisitions officer provides documentation of items collected with the
computer, including a list of other storage media.
• The computer is a Windows 8 system, and the machine was running when it
was discovered.
• Before shutting down the computer, the acquisitions officer photographs all
open windows on the Windows desktop and gives the photos.
• Digital forensics investigators appreciate the proper procedure when acquiring
evidence, as key data can be altered by an overeager investigator.
• A range of software is available for use in the investigation, including the tool
Autopsy from Sleuth Kit.
• Older versions of tools often need to be used in forensics investigations due to
some cases involving computers running legacy OSs.
• After a preliminary assessment, potential challenges are identified, and steps
are taken to investigate the case, including addressing risks and obstacles.
An Overview of a Company Policy Violation
Digital Forensics in Company Policy Violations

• Companies establish policies for employee computer use, aiming to prevent

wasted time.
• Digital forensics specialists are used to investigate policy violations, as lost
time can cost companies millions.
• An example is given of a missing sales representative, George Montgomery,
who has been absent without reporting.
• Steve Billings, the manager, requests the confiscation of George's hard drive
and storage media to investigate his whereabouts and job performance concerns.
• A systematic approach is suggested to examine and analyze the data found on
George's desk.
25
Taking a Systematic Approach
Case Preparation and Systems Analysis Steps

• Initial Assessment: Discuss the type of case with others involved and inquire
about the incident. Determine if the computer was used for a crime or if it
contains evidence.
• Preliminary Design or Approach: Outline the steps needed to investigate the
case. Determine if the suspect can be seized during work hours or if the
information law enforcement officers have gathered is already gathered.
• Detailed Checklist: Refine the general outline by creating a detailed checklist
of steps and estimated time for each step.
• Determine Resources Needed: List the software and tools needed for the
investigation based on the OS of the computer.
• Obtain and Copy an Evidence Drive: Make a forensic copy of the disk if
multiple computers are seizing.
• Identify Risks: List the problems expected in the case type.
• Mitigate or minimize risks: Identify ways to minimize risks, such as making
multiple copies of original media before starting.
• Test the design: Review decisions and steps made, including comparing hash
values.
• Analyze and recover digital evidence: Examine the disk to find digital
evidence, addressing any risks and obstacles.
• Investigate the data recovered: View information recovered from the disk,
including existing files, deleted files, emails, and Web history.
• Complete the case report: Write a detailed report detailing the investigation
and findings.
• Critique the case: Review the case to identify successful decisions and actions
and identify areas for improvement.
• Time and effort: The time and effort put into each step varies depending on the
nature of the investigation.
• Contingency plan: Always have a contingency plan for the investigation,
including alternative software and hardware tools.

Assessing the Case

Investigating Case Requirements in Digital Forensics

• Identifying case requirements involves systematically outlining case details,

including the nature of the case, type of evidence available, and location of
evidence.
• In the case of George Montgomery, the focus has shifted to possible employee
abuse of company resources.
• The situation involves employee abuse of resources.
• The nature of the case is side business conducted on the company computer.
• The specifics of the case include the employee registering domain names for
clients and setting up their websites at local ISPs.
• The type of evidence is a small-capacity USB drive connected to a company
computer.
• The known disk format is NTFS.
• The location of evidence is one USB drive recovered from the employee’s
assigned computer.
• The task is to gather data from the seized storage media to confirm or deny the
allegation that George is conducting a side business on company time and
computers.
• The evidence obtained might be exculpatory, meaning it could prove George’s
innocence.
• Systematic and thorough investigation is more likely to produce consistently
reliable results.
Planning Your Investigation
Investigation Plan for Montgomery_72018 Case

• Gathering evidence: Acquire the USB drive from the IT Department, which
bagged and tagged the evidence.
• Completing an evidence form: Establish a chain of custody and transport the
evidence to a digital forensics lab.
• Ensuring the evidence is stored in an approved secure container: Prepare a
forensic workstation.
• Retrieving evidence: Go to the IT Department staff who confiscated the
storage media.
• Making a forensic copy of the evidence drive: Make a forensic copy of the
evidence drive.
• Returning the evidence drive to the secure container: Process the copied
evidence drive with digital forensics tools.
• Documenting evidence: Record details about the media, including who
recovered the evidence and when, and who possessed it. Use an evidence
custody form: This helps document what has and has not been done with the
original evidence and forensic copies.
• Depending on the environment: Create an evidence custody form for law
enforcement or private security.

• Evidence custody form should be documented for consistency and consistency

in investigations.
• The form includes:
- Case number: The number assigned when an investigation is
initiated.
- Investigating organization: The name of the organization
conducting the investigation.
- Investigator: The name of the investigator assigned to the case.
- Nature of case: A brief description of the case.

• Secure container: A locked, fireproof locker or cabinet with limited access.

• Location evidence was obtained: The exact location where the evidence was
collected.
- Description of evidence: A list of the evidence items.
- Vendor name: The name of the manufacturer of the computer component.
- Model number or serial number: The model number or serial number of the
computer component.
- Evidence recovered by: The name of the investigator who recovered the
evidence.
- Date and time: The date and time the evidence was taken into custody.
- Evidence placed in locker: The approved secure container used to store the
evidence.
- Item #/Evidence processed by/Disposition of evidence/Date/Time: When
retrieving evidence from the evidence locker for processing and analysis.
- Page: The forms used to catalog all evidence for each location should have
page numbers.
Tip
This form allows for flexibility in tracking evidence for a chain-of-custody log
and provides more space for descriptions. It accurately accounts for actions
taken during investigative analysis. Both multi-evidence and single-evidence
forms can be used for redundancy and quality control.
Securing Your Evidence
Digital Forensics Procedures and Storage

• Digital investigations require flexible procedures to account for various items,

including computer systems and storage media.
• Large computer components like CPU cabinets, monitors, keyboards, and
printers are too large for evidence bags.
• Large evidence bags, tape, tags, labels, and other products can be used to
secure and catalog evidence.
• Antistatic bags and pads with wrist straps are recommended to prevent damage
to computer evidence.
• Computer evidence should be placed in a well-padded container to prevent
damage during transport.
• Evidence tape can be used to seal all openings on large computer components.
• Initials should be written on the tape before applying it to the evidence to
prove its security.
• New disks should be placed in disk drives to reduce possible drive damage
during transport.
• Computer components require specific temperature and humidity ranges to
prevent damage.
• A safe environment for transporting and storing computer evidence is crucial
until a secure evidence container is available.
Procedures for Private-Sector High-Tech Investigations
Investigations for Employee Termination Cases and Internet Abuse
Investigations

Employee Termination Cases

• Most investigations involve employee abuse of company resources.
• Incidents that create a hostile work environment are the predominant types of
cases investigated.
• Investigations should be conducted with the organization’s general counsel
and Human Resources Department.
• The organization must have appropriate policies in place.
Internet Abuse Investigations
• The investigation applies to an organization’s internal private network, not a
public ISP.
• The organization’s Internet proxy server logs, suspect computer’s IP address,
suspect computer’s disk drive, and a preferred digital forensics analysis tool are
required.
• The recommended processing of an Internet abuse case includes using
standard forensic analysis techniques, searching for and extracting all Web page
URLs and associated information, requesting a proxy server log, comparing
data recovered from forensics analysis with network server log data, and
continuing if the URL data matches the network server log and forensic disk
examination.
• Before investigating an Internet abuse case, research your state or country’s
privacy laws.
• Always consult with your organization’s attorney.
• For investigations where the network server log doesn’t match the forensics
analysis, continue the examination of the suspect computer’s disk drive.
E-mail Abuse Investigations
Email investigations involve examining spam, inappropriate content, and
harassment. Organizations must have a defined policy for email abuse
investigations.
To conduct an investigation, an electronic copy of the offending email with
message header data is required. If available, email server log records should be
consulted. Access to the server is necessary for systems that store user messages
on a central server.
For computer-based email data files, standard forensics analysis techniques
should be used for drive examination. Server-based email data files should be
obtained from the email server administrator. For web-based email
investigations, related email address information should be extracted using
internet keywords.
Attorney-Client Privilege Investigations
Digital forensics analysis under attorney-client privilege (ACP) rules requires
confidentiality of findings. Attorneys typically request data extraction from
drives, and it's the responsibility to comply with their directions. Printouts can
be problematic for large data files or proprietary programs. Educating attorneys
on electronic viewing and sorting through files can help efficiently analyze
large data. Problems may arise when examining binary files like CAD drawings
or specialized drafting programs. Identifying programs for design plans is
crucial for attorneys and expert witnesses to review evidence files.
Conducting an ACP Case: Basic Steps

• Request a memo from the attorney directing the investigation.

• Request a list of keywords of interest to the investigation.
• Initiate the investigation and analysis after receiving the memorandum.
• Make two bit-stream images of the drive for drive examinations.
• Verify the hash values on all files on the original and re-created disks or its
image file.
• Methodically examine every portion of the drive and extract all data.
• Run keyword searches on allocated and unallocated disk space.
• Use specialty tools to analyze and extract data from the Registry.
• Find the correct program for binary files, such as CAD drawings.
• Use a tool that removes or replaces nonprintable data for unallocated data
recovery.
• Consolidate all recovered data from the evidence bit-stream image into well-
organized folders and subfolders.
• Store the recovered data output in a logical and easy-to-follow storage method
for the attorney or paralegal.
• Minimize all written communication with the attorney.
• Assist the attorney and paralegal in analyzing the data.
• Keep an open line of verbal communication with the attorney during these
types of investigations.

Industrial Espionage Investigations

• Industrial espionage investigations can be time-consuming and subject to
scope creep problems.
• Cases dealing with foreign nationals may violate International Traffic in Arms
Regulations (ITAR) or Export Administration Regulations (EAR).
• All suspected industrial espionage cases should be treated as criminal
investigations.
• Techniques described are for private network environments and internal
investigations not yet reported to law enforcement officials.
• Staff needed for an industrial espionage investigation include a digital
investigator, a technology specialist, a network specialist, and a threat
assessment specialist.
International Competition Network Guidelines for Digital Evidence Gathering
in Private-Sector Settings
• Guidelines used by over 90 jurisdictions.
• Determine if the investigation involves a possible industrial espionage
incident.
• Consult with corporate attorneys and upper management for discreet
investigations.
• Determine necessary information to substantiate the allegation.
• Generate keywords for disk forensics and network monitoring.
• List and collect necessary resources.
• Determine the investigation's goal and scope.
• Initiate the investigation after management approval.

Planning Considerations for Industrial Espionage Investigations

• Examine all emails of suspected employees.
• Search internet forums or blogs for postings related to the incident.
• Initiate physical surveillance with cameras.
• Examine facility access logs for sensitive areas.
• Determine the suspect's location in relation to the compromised resource.
• Study the suspect’s work habits.
• Collect all incoming and outgoing phone logs.

Basic Steps for Conducting an Industrial Espionage Case

• Gather all personnel and brief them on the plan.
• Gather necessary resources.
• Start the investigation by placing surveillance systems at key locations.
• Gather additional evidence discreetly.
• Collect all log data from networks and email servers.
• Report regularly to management and corporate attorneys.
• Review the investigation's scope to determine if it needs to be expanded.
Interviews and Interrogations in High-Tech Investigations
Understanding Interviews and Interrogations in High-Tech Investigations

• Digital investigators are typically technical individuals who acquire evidence

for investigations.
• Many large organizations have full-time security investigators with years of
experience in criminal and civil investigations.
• Interrogations differ from interviews as they aim to get a suspect to confess to
a specific incident or crime.
• The role of a digital investigator is to instruct the investigator on what
questions to ask and what answers to provide.
• The role of a digital investigator is to build rapport with the investigator and
may ask questions to the suspect.
• Common interview and interrogation errors include being unprepared, not
having the right questions, and doubting one's own skills.
• Key ingredients for a successful interview or interrogation include patience,
repeating questions, and being tenacious.