Tips

Investigation Tips

Determine the investigation type since it will influence the data you need, the scope, extent and strategy.

⚠️ It’s a very important thing to note in case of IP (intellectual property cases). Ensure, that data and devices of the suspect are IMMEDIATLY preserved and not accessed by anyone. I guess that’s because of the timestamps.

• ❓ What is the case about?
• ❓ What evidence do we expect to recover?
• ❓ Where is the evidence most likely located?
• ❓ What are the legal restrictions?
• ❓ Who is involved and what’s their role?

Develop a plan to collect the data. Each type of data will require separate plan. This plan should prioritise the sources and the order. For example, if you are dealing with a system that is turned on, first, take photos of the screen, then collect the volatile data (RAM) and them make a copy of a hard drive. Then turn it off and send to the lab in a safety bag. Maintain chain of custody.