Please enable JavaScript.
Coggle requires JavaScript to display documents.
3 - Investigation process - Coggle Diagram
3 - Investigation process
Gathering evidence
Multiple options to confiscate evidence
The person who owns the evidence could voluntarily surrender it or grant consent to a search
Less experienced attacker may believe they have successfully covered their tracks and voluntarily surrender important evidence
Get a court to issue a subpoena (a legal order from a court that forces a person or organization to provide information or to appear before the court)
Law enforcement officer performing a legally permissible duty may seize evidence that is visible to the officer in plain view and where the officer has probable cause to believe that it is associated with criminal activity (aka plain view doctrine)
Search warrant: should be used only when you must have access to evidence without notifying the evidence's owner or other personnel
Calling in Law Enforcement
Complicated decision that should involve senior management officials
Two major factors may cause a company to shy away from calling in the authorities
The investigation will more than likely become public and may embarrass the company
Law enforcement authorities are bound to conduct an investigation that complies with the Fourth Amendment (Government officials (police, federal agents, etc.) cannot search your property or take your belongings without proper legal justification) and other legal requirements that may not apply if the organization conducted its own private investigation
Conducting the investigation
Other than collecting a memory dump or other live forensic techniques, never conduct your investigation on an actual system that was compromised. Take the system offline, make a backup and use the backup to investigate the incident.
Never attempt to hack back and avenge a crime. You may inadvertently attack an innocent third party and find yourself liable for computer crime charges
If in doubt, call in expert assistance. If you don't want to call in law enforcement, contact a private investigations firm with specific experience in the field of computer security investigations.
Interviewing individuals
If you seek only to gather information to assist with you investigation, this is called an interview.
If you suspect the person of involvement in a crime and intend to use the information gather in court, this is called an interrogation.
Data integrity and retention
Evidence can be thrown out of court if it gets altered during the evidence collection process
Reporting and Documenting investigations
Every investigation should result in a final report that documents the goals of the investigation, the procedures followed, the evidence collected, and the final results of the investigation. The degree of formality behind this report will vary based on the organization's policy and procedures, as well as the nature of the investigation.