Investigation Tips

Created: 28.11.2018

Determine the investigation type since it will influence the data you need, the scope, extent and strategy.

⚠️ It’s a very important thing to note in case of IP (intellectual property cases). Ensure, that data and devices of the suspect are IMMEDIATLY preserved and not accessed by anyone. I guess that’s because of the timestamps.

  • ❓ What is the case about?
  • ❓ What evidence do we expect to recover?
  • ❓ Where is the evidence most likely located?
  • ❓ What are the legal restrictions?
  • ❓ Who is involved and what’s their role?

Develop a plan to collect the data. Each type of data will require separate plan. This plan should prioritise the sources and the order. For example, if you are dealing with a system that is turned on, first, take photos of the screen, then collect the volatile data (RAM) and them make a copy of a hard drive. Then turn it off and send to the lab in a safety bag. Maintain chain of custody.

πŸ—’ For several different case make a checklist

Exfiltration

It usually means that someone has leaked some confidential information. It also usually means, that the person would exfiltrate it to one person only, i.e. you would be looking for e-mail or chat conversations invlolving just two parties (no CC or BCC).

IP cases questions

  • ❓ What processes did the suspect perform in order to get IP from the building?
  • ❓How the suspect accessed email accs?
  • ❓Cloud ⛅️ storage used?
  • ❓Remote transfer?
  • ❓DVDs/CDs/USBs?
  • ❓Suspects negotiating salary and benefits with the competitors?
  • ❓Was he/she selling the information?
  • ❓Mass deletion or drive wiping?

E-discovery

Electronic aspects of identifying, collecting and producing electronically stored info in response to a request for production in a lawsuit or investigation (emails, websites, docs). ❗️Focused on the metadata, not the data itself! How, when and where was the doc created?

  • ❓How, when and where was the doc created?
  • ❓ What is the case about?
  • ❓ What evidence do we expect to recover?
  • ❓ Where is the evidence most likely located?
  • ❓ What are the legal restrictions?
  • ❓ Who is involved and what’s their role?

πŸ’‘ May be it’s better to arrange it as a table. Merge with the information from Cyber Triage DFIR webinar by Brian Carrier and Digital Archaeology.