Start Here

A digital forensic investigation process can involve many steps and procedures. The objective is to obtain unbiased information in a verifiable manner using accepted forensic practices. In this project, you will perform some of the steps necessary for setting up an investigation. These steps include designing interview questions that establish the needs of the case and provide focus for your investigative efforts. You will also determine what resources may be needed to conduct the investigation. Once you have this information, you will be able to develop an investigation plan that properly sequences activities and processes, allowing you to develop time estimates and contingency plans should you encounter challenges in the investigation.

This situation involves two computers and a thumb drive. After clear authorization to proceed has been obtained, one of the first investigative decision points is whether to process the items of evidence individually or together. Processing computers individually makes sense when they are not likely tied to the same case. However, if the computers are linked to the same case, there can be advantages in processing them together.

There are four steps in this project. In Step 1, you will develop interview protocols and identify documentation needs for a forensic investigation. In Step 2, you will identify tools and software needed for the investigation. In Step 3, you will develop a plan for conducting the investigation, and in Step 4, you will consolidate your efforts in the form of a single document to be submitted to your supervisor (i.e., your instructor). The final assignment in this project is a planning document with a title page, table of contents, and distinct section for each of the three steps in the project. Consult the relevant sections of Guidelines for Project 1 Investigation Project Plan in every step.

In Step 1, get started on the plan by creating an interview form to record questions, key words, and authorization information, and to complete the legal forms needed in this case. However, before you can do that, you need to review your training in criminal investigations.

Guidelines for Investigation Project Plan

Your report must be organized and written in a way that is easy to follow. Include all requirements that are identified in the Project 1 steps as well as here in the guidelines.

Each section of the report should be clearly identified. Use the terms figure and table to refer to all images and graphics. Take time to check your sentence structure, expression of ideas, and spelling. Your writing must flow and make sense.

Tables, screenshots, graphs, and artifact images contained in your report should be individually labeled and numbered using APA format (e.g., Table 1 Expense Budget, Figure 1 Screenshot of Washer ATM Image). Check UMGC library for the proper APA formatting.

Your instructor may require additional details and different formatting approaches. Rely on your instructor’s guidance and feedback to produce the highest level of deliverables to meet or exceed performance standards for Project 1 in DFC 620/CST 640.

Consider the following sections as the minimum starting point. Be sure to click each tab for more information.

• Title Page
• Include the title, your name, course name, and date.
• Table of Contents
• This will be a list of all upcoming sections.
• Purpose
• In brief, this section should include what you as the investigator are trying to achieve through this investigation. Note: You may want to include an abstract since you will be required to include an abstract in many of your future papers that you write in the UMGC graduate program. Your instructors will expect it and your paper submissions will stand out as polished graduate-level work. If you don’t know what an “abstract” is, review in the UMGC library or search online. This is the time to learn and grow.
• Meetings and Agendas
• Identify the types of meetings that should be held and identify the issues to be discussed with each group of meetings that need to be conducted. Be sure to include in the timeline section when the meetings should occur.
  Create a meeting agenda to accompany each proposed category of meetings. (You can research how to prepare proper agenda format). Your instructor may provide feedback on this issue.
• Required Forms
• Application for Search Warrants
• Chain of Custody Form – Completed
• Consent Form – Example
• Search Warrant – Example
• Removal Media Worksheet
• Hard Drive Evidence Worksheets
• Proposed Keyword Searches
• Checklist of Forensic Equipment and Software
• List everything you need in the field and back at your workstation. You can have one long list with subsections or multiple lists.
• Investigative Process
• Describe step-by-step what you found and where. In an actual investigation, it is important that you specifically describe each action taken during your investigation examination. For this course, provide screenshots of your work to demonstrate your mastery of the course lab competencies. Refer to your screenshots using sequentially numbered figures by section so figures in section five would go Figure 5-1, Figure 5-2, etc.Summarize and explain what you have learned and why this information is important at each step. Express in your own words what you have learned about developing and implementing a digital forensics investigation plan after you have read your reference sources. Use APA in-text citations. Include all cited sources in the reference section at the end of this plan.
  Do not copy and paste information from your sources. Summarize what you have learned. You can include short quotations from a reference source that helps you make your point, but it should be a phrase or two to three sentences at most. However, you must properly credit and cite the reference source. Describing your supporting analysis in your own words and quoting credible sources will help make your Project 1 paper stand out.
• Inverview Forms with Questions
• Develop separate sets of investigative questions that you would separately ask of each potential type of witness in the project. (e.g., for a company IT director, for coworkers, for witnesses). The more detailed, the better. You can learn about the types of questions to ask by reading the references in the course and by performing your own research concerning the questioning of witnesses during a digital forensics investigation. (See NIST’s Guide to Integrating Forensic Techniques into Incident Response, Special Publication 800-86; the National Institute of Justice’s (NIJ) Forensic Examination of Digital Evidence: A Guide for Law Enforcement; US Secret Service’s Best Practices for Seizing Electronic Evidence, UMGC course references, and other sources. You will also have to conduct your own research to get a feel of what to ask. Your instructor may provide some feedback on this issue.Fully develop a list of contact people who will be important and useful throughout the investigation process. (e.g., company, legal counsel, case investigator, case prosecutor, company IT manager, department director, employee supervisor, local law enforcement, human resources director, assigned digital forensics examiner, etc. This is a start. There are more contact categories that may apply. Again, you will learn more about whom to contact by conducting proper research as you attempt to meet the Project 1 requirements. Don’t just make things up. Your instructor may provide some feedback on this issue
• Investigation Timeline
• Create a visual timeline graphic using functions in Microsoft Word or any other familiar tool. Your graphics should be referenced and described in your report narrative (e.g. …see the interview phase in Figure 7-1. Investigation Plan Timeline). Illustrate the activities that will occur during each interval. For example, your timeline should have details such as set out 30 days to image all drives, 60 days evidence review and analysis, 90 days report writing, witness preparation. These time frames are just general examples of how explicitly detailed your timeline graphic and narrative work should be.
• Investigative Budget
• Your budget should be presented in tables using Microsoft Word, Microsoft Excel, or Mac Numbers format. Label each table with number and title (e.g., Table 8-1: Equipment Budget, Table 8-2: Labor) for easy referencing. Tables should contain projected/estimated costs for each line item, expenses, equipment expenses, labor expense, number of examiners, hourly rate, total estimated/projected time per examiner, number and type of computers and costs, software licensing expense, estimated imaging time per drive or electronic media, report writing time, witness preparation time, expert witness testimony time, hard drive expense and peripherals, and a total for all expenses. You can get an idea about what to include by reading the resources associated with the Project 1 reference links in the course. Other examples can be obtained by checking NIST references.
• Conclusions
• A summary of your findings. There should be no new information here— just a condensed version of the preceding sections. It should state what you achieved. Be sure it aligns with the first section, “Purpose.”
• References
• Appendices
• This section should include lettered appendices (Appendix A, Appendix B, and so on) if you choose to include them. In general, an appendix is where an author places supporting details that not all readers will need to see, but experts or interested parties may wish to see.
  

  Step 2: List Required Forensic Equipment, Software, and Labor Expenses

  In Step 1, you developed forms and templates to collect the legal, criminal, and technical information that lays the groundwork for your investigation. In this step, you will consider the types of equipment and human resources needed to conduct the investigation and create a budget table that includes expenses for software licenses, computers, storage devices, number of digital forensics examiners, digital forensics examiners’ labor hours, examiner hourly pay rate, including time spent for each phase of the investigation process in gathering evidence analysis, reporting, presentation preparation and court appearance(s).It is important to total overall costs of all equipment and expenses in your budget table. By making these preparations, you are establishing forensic readiness. Required resources can include people; tools and technologies such as RAID storage, deployment kits, or imaging programs; and budget and timeline information.Develop a checklist. It will be included in the final Investigation Project Plan.In the next step, you will begin to prepare a plan for managing a digital forensic investigation.

  Step 3: Plan Your Investigation

  In the prior step, you determined what resources would be necessary for your investigation. In this step, you will develop a plan for managing the investigation. The requirements for writing case reports reflect the step-by-step rigidity of the criminal investigation process itself. Being able to articulate time, task, money, and personnel requirements is essential.Project management is a skill set that is not often linked to digital forensics and criminal investigations. That is unfortunate because effective project management can have a dramatic impact on the success and accuracy of an investigation. Identifying the tasks that need to be performed, their sequence, and their duration are important considerations, especially in the face of “wild cards” such as delays in obtaining correct search warrants and subpoenas. It is also important to have a clear understanding of the goals for the investigation as you will likely be called upon to present conclusions and opinions of your findings.Your project plan should include a properly sequenced narrative timeline and a separately labeled and sequenced Visual Graphic Timeline chart that reflects the time intervals between each phase of the evidence acquisition and investigation processes (e.g., 30 hours gathering evidence spread across five business days, 60 hours of analysis over 10 business days, 90 days for reporting and court preparation, etc.) including detailed time estimates, and contingency plans. Your plan will serve many purposes, including the assignment of a project budget. As you create your plan, be sure to include in your meeting agenda communications and reporting: who should be involved, how the activities should be carried out, how often, and under what circumstances (i.e., modality, frequency).Once you have developed your project management plan, move on to the next step, where you will submit your final assignment.

  Step 4: Prepare and Submit Completed Investigation Project Plan

  For your final assignment, you will combine the results of the previous three steps into a single planning document—an Investigation Project Plan—with a title page, a table of contents, and a distinct section for each of the three steps. The plan should include:

  1. Forms documenting key people, meeting agenda, key activities and reporting, key words, investigation timeline narrative, visual graphic timeline chart, authorization confirmation (e.g., ownership, jurisdiction), and related investigations. Designation of the legal forms required for criminal investigations should also be included. (Step 1)
  2. Resource checklist for equipment, human resources and labor expenses (Step 2)
  3. Management plan (Step 3)
  4. Search and seizure form(s)
  5. Chain of custody form

  The organization and details of your plan is important. Be sure to refer to the Guidelines for Project 1 Investigation Project Plan to meet the minimum standards needed for this project.All sources of information must be appropriately referenced. Submit your completed Investigation Project Plan to your supervisor (instructor) for evaluation upon completion.