Project 1: Investigation Considerations “What is it with these detectives? They think they can just dump stuff on our desks and expect us to make heads or tails of it!” “I’ll need a lot more information than this before I can process these computers!” “Let’s see…is that everybody? I need to get this meeting on folks’ calendars right away, so I can start my investigation. While I’m waiting, I’ll draw up an agenda and a list of questions that need to be answered.” “OK, that’s a good start! I’m sure other topics will come up during the meeting.” “That meeting was a big help! Now I can create a list of resources that I’ll need for the investigation. Let’s see…..” “The team is also going to want to know what to expect as far as timeline, budget, responsibilities, and so on. A project management diagram should help. I’ll sketch it out now and get it to them A.S.A.P. so we can get started!” A digital forensic investigation process can involve many steps and procedures. The objective is to obtain unbiased information in a verifiable manner using accepted forensic practices. In this project you will perform some of the steps necessary for setting up an investigation. These steps include designing interview questions that establish the needs of the case and focus your investigative efforts. You will also determine what resources may be needed to conduct the investigation. Once you have this information, you will be able to develop an investigation plan that properly sequences activities and processes allowing you to develop time estimates and contingency plans should you encounter challenges in the investigation. This particular situation involves two computers and a thumb drive. After clear authorization to proceed has been obtained, one of the first investigative decision points is whether to process the items of evidence individually or together. Processing computers individually makes sense when they are not likely tied to the same case. However, if the computers are linked to the same case, there can be advantages in processing them together. There are four steps in this project. In Step 1, you will develop interview protocols and identify documentation needs for a forensic investigation. In Step 2, you will identify resources needed for the investigation. In Step 3, you will develop a plan for conducting the investigation, and in Step 4, you will consolidate your efforts in the form of a single document to be submitted to your supervisor (i.e., your instructor). The final assignment in this project is a planning document with a title page, table of contents, and distinct section for each of the three steps in the project Let’s get started! In Step 1 you use an interview template to record questions, keywords, and authorization information, and to complete the legal forms that will be needed in this case. Before you can do that, you need to review your training in criminal investigations. STEP 1 In Step 1 you recall your training in criminal investigations, in which you covered the laws governing chain of custody, search warrants, subpoenas, jurisdiction, and the plain view doctrine. You also review forensic laws and regulations that relate to cybercrime, as well as rules of digital forensics in preparation for your digital forensic investigation. Next, you read the police report and perform a quick inventory of devices that are thought to contain evidence of the crime. You have set up a meeting with the lead detectives and the prosecutor handling the case. You have received an official request for assistance which provides you with authority to conduct the investigation. You realize it will be impossible to produce a detailed investigation project plan prior to your meeting with the detectives and the prosecutor. First you need to develop a series of questions to establish the key people and activities. These questions should address potential criminal activity, timelines, and people who need to be investigated. It is also important to determine whether different aspects of the case are being pursued by other investigators and to include those investigators on your contact list. In addition, some situations may involve organizations or individuals who need to adhere to various types of industry compliance. This situation may require you to follow special procedures. Your tasks in Step 1 are to create an interview form to record questions, keywords, and authorization information, and to designate the legal forms that will be needed in this case. The forms that you complete as part of Step 1 will be included in your “Investigation Project Plan”– the final assignment for this project. STEP 2 In Step 2 you will consider the types of resources needed for the investigation. In Step 1 you developed the forms and templates needed to collect the legal, criminal, and technical information that lays the groundwork for your investigation. In Step 2, you consider the types of resources needed to conduct the investigation. By making these preparations, you are establishing forensic readiness. Required resources can include people; tools and technologies such as RAID disks, deployment kits, or imaging programs; and budget and timeline information. Develop your checklist. It will be included in your final “Investigation Project Plan.” In Step 3 you will prepare a plan for managing a digital forensic investigation. STEP 3 In the prior step, you determined what resources would be necessary for your investigation. In Step 3 you develop a plan for managing the investigation. Reporting requirements reflect the step-by-step rigidity of the criminal investigation process itself. Being able to articulate time, task, money, and personnel requirements is essential. Project management is a skill set that is not often linked to digital forensics and criminal investigations. That is unfortunate because effective project management can have a dramatic impact on the success and accuracy of an investigation. Identifying the tasks that need to be performed, their sequence, and their duration are important considerations, especially in the face of “wild cards” such as delays in obtaining correct search warrants and subpoenas. It is also important to have a clear understanding of the goals for the investigation as you will likely be called upon to present conclusions and opinions of your findings. Your project plan should include properly sequenced evidence acquisition and investigation processes, time estimates, and contingency plans. Your plan will serve many purposes including the assignment of a project budget. As you create your plan, be sure to include communications and reporting—who should be involved, how the activities should be carried out, how often, and under what circumstances (i.e., modality, frequency). Once you have developed your project management plan, move on to Step 4 where you will submit your final assignment. STEP 4 For your final assignment, you will combine the results of the previous three steps into a single planning document—an “Investigation Project Plan”—with a title page, a table of contents, and a distinct section for each of the three steps. The Plan should include: Forms documenting key people, key activities, timeline, keywords, authorization (ownership, jurisdiction), and related investigations. Designation of the Legal forms required for criminal investigations should also be included. (Step 1) Resource list (Step 2) Management plan (Step 3) Sample format for deliverables Title Page Abstract Table of Contents Meeting Agenda Required Forms Tools Investigative Process Interview Questions Investigative Timeline Investigation Budget Conclusion References Appendices

    Digital Ceensic Study


    Ascribeffectual to the worldly structure of computer influences, entire discrete influence leaves a implicit digital way which is indispenseffectual ce study way. Oceanly, the digital ways deficiency to be retrieved to cooperate in a digital study to controvert or examine a sure wrong. However, with constraints of productionss and the implicit ce perdition of declaration, it’s referable attributeffectual attributeffectual attributeffectual regularly contriveffectual ce investigating conductors to reach perfect the apt digital ways to transact a integral study. As such, this article covers the ceensic study encircling to offspring sexual exploitation. The article is additive of the consultation agendas ce the investigative team, affords perfect the cems deficiencyed ce a cetunate study and submission with the order, and it affords in-depth details to the investigative way. The article so grasps the conference questions that are asked to the turbid branch, the investigative termline and budget. The elements are circumspectly judgeed to detail that a entire study way is fulld.

    Teffectual of Fulls

    Abstract    2

    Introduction    3

    Consultation Agenda    4

    Guide questions Pertaining to the Circumstance.    4

    Required Cems    4

    Segregation Instruments    6

    Investigative Way    7

    Conference Questions    11

    Investigative Termline    12

    Investigative Budget    13

    Conclusion    13

    References    14


    Having been appointed as the investigating conductor, it’s judgeeffectual that I know that entire plod in the digital ceensic study is critical to the entire study. As such, a circumspect integration of perfect the wayes is produced, starting from the consultation with the investigative team, an in-depth segregation of the investigative way, termlines and budget. Entire plod lower is a circumspect inducement gratefully produced to full the extreme results of the study way.

    Consultation Agenda

    The consultation with the investigative team procure suffice-coercion to full the cethcoming agendas:

    1. Reestablishment of the circumstance
    2. Laying the reason rules ce the study
    3. Compensation of related advice encircling the circumstance
    4. Team gathering and assigning the apt roles.
    5. A.O.B

    Guide questions Pertaining to the Circumstance.

    1. What are the ocean activities conducted by the criminals in this circumstance?
    2. How covet do you appreciate they bear been conducting this interest?
    3. How manifold questions do we bear ce this circumstance?
    4. How manifold offspring bear been sexually exploited by these questions and ce how covet has this been happening?
    5. Do you bear any of these criminals in guardianship ce questioning?
    6. Do we bear any branch who ability suffice-coercion as a legitimate commencement of communication ce this study?

    Required Cems

    The instruments demandd ce this study are varied installed on the front of study.  Each instrument or cem is judgeeffectual as it suffice-fors as an real declaration ce submission with the suiteffectual perfectoweffectual procedures during an study (Casey, 2011). The leading cem is the quest and Seizer declaration log which is additive of the tiny term of the laptops and unyielding propels that were located during the judicious quest ce declaration. The perfect so instruments the term and term the study was conducted, inventory of inhabitants that bear been compromised in the study, and the termline ce the entire study.

    The remedy perfect deficiencyed ce this study is the lab declaration log which grasps the term the seized declaration arrived at the laboratory, a abrupt term encircling the declaration, investigator’s designate and verification, and the term of the declaration when it arrived in the lab. As Circumstancey (2011) says, the perfect is so additive of perfect the details pertaining to the essay way and who transacted the essay, and the term and term ce each way. Another judgeeffectual perfect is the assembly log perfect which entails related details of the digital ceensic front additive of the pictures obtained from the basis, the md5 incorporate or checkincorporate of the calm basis and the controlmer basis. Finally, it comprehends of the investigator’s advice additive of a digital sigstructure and a termstamp.

    Other judgeeffectual instruments grasp the Official Entreat ce Laboratory Essay cem which comprehends of the apt guidewords that should be sought during the computer segregation. Together, a productionss segregation employmentsheet procure so suffice-coercion an judgeeffectual role in waying the career of productionss segregation and the skin of influence proffered. Together, a shaft mortem Windows Ceensic Checkinventory procure so be judgeeffectual ce the study way (Selamat, Yusof, & Sahib, 2008). Other cems such as the declaration activity cem, digital ceensic communication template, and incoming declaration cems should so be graspd in the inventory of cems

    Alongside the perfectoweffectual cems, ce any ceensic study, the ceensic examiner has to detail that the apt perfectoweffectual specisociety deficiencyed to transact the study influence such is reachd. As such, perfectoweffectual specisociety deficiencyed ce this study is a acquiesce cem and a quest fittingify that perfectows the examiner to transact an segregation and quest through the digital basis.  According to Circumstancey (2011), ascribeffectual to the storage sight of computers and digital contrivances such as a smoulder propel, the colossal basis, and the eminent drawinge of confusion demands that such basis be quested at a inferior laboratory environment. Each controlthcoming quest has to be transacted unarranged the perfectoweffectual quenchedskirts, that is, as jump in the acquiesce or the quest fittingify. Judgeablely, the examiner should so employment closely with the plaintiff to detail that any queries moving to the specisociety ce transacting a sure essay (Casey, 2011).

    Segregation Instruments

    Past the digital declaration is already collected and properly preserved. It’s judgeeffectual to bear the infallible segregation instruments that procure suffice-coercion the portions that comprehend the objective declaration ce the study. The leading instrument that procure be demandd ce the study is a ceensics order. The order is a cantankerous betwixt desktop computer and a laptop reasond ce compassing unyielding propels and sending pictures to another computer or unyielding propel. The contrivance comprehends a roll-up guideboard and a pop-up mitigate (Selamat, Yusof, & Sahib, 2008). The order is judgeeffectual in examining bit-stream pictures and pliant a inventory of perfects and programs controlmerly bestow in the contrivance. With it, the ceensic study team procure be effectual to bemaintenance ce any software that was reasond to screen, encrypt, shield, or delete judgeeffectual perfects from an investigator. According to Köhn, Olivier, and Eloff (2006), it’s estimate referable attributeffectual attributableing that influence of steganography instruments such as TrueCrypt in the unyielding propel or laptop is an indicator that there was an guile of shirking declaration and these are judgeeffectual in determining the skin of instruments that an investigator may together reason.

    Another quantitative instrumentset are the perfect revival instruments. Frequently, malicious inhabitants procure transact their employment and delete perfects whenever practicable. However, whenever a perfect is deleted by a reasonr, the computer singly deletes the pointer excluding the perfect remains pure unarranged the computer. Deleted perfects are simply transformed into the disclosed illimitableness on the storage productionss that can perfectow a reasonr to provision innovatinglightlight basis (Köhn, Olivier, & Eloff, 2006). The deleted basis can thus be recovered using judgeeffectual basis revival programs. After revival of basis, an investigator demands the apt programs to disclosed and discover the recovered basis. Mostly, these procure grasp a distant gamut of perfect types such as .pdf, .xlsx, .docx, .gif, .png, anticipation. As such, a distant span of crowd vendor programs are demandd ce discloseding these perfects. A perfect establishmenting software load is thus very judgeeffectual to enjoyment the employment.

    The perfect establishmenters are indispenseffectual in perfectowing an investigator to disclosed a abnormity of perfects fitting lower undivided roof. A amiable software ce that intention is the Guidance Software’s EnCase, or Innovatinglightlight Technologies’ Safeback, or Norton Ghost. Encircumstance is the best software unarranged the three excluding the other couple suffice-fors as backup in the occurrence that undivided fails. Together, some laptops bear smperfect unyielding propels which ability be unyielding to dislodge manifestly collisioning a injury on the beggarly (Casey, 2011). As such, instead of removing the unyielding propel, an manifest DVD/CD propel is judgeeffectual ce booting up the laptop and then using a netemployment ceffectual to adit any advice apt ce the study and delineation it to a innovatinglightlight unyielding propel. As such, a netemployment ceffectual is so an judgeeffectual instrument. Circumstancey (2011) so marks another judgeeffectual instrument that’s apt ce the ceensic employment is Write Blocker. The contrivance is solid to a unyielding propel and the disk or smoulder disk to which perfects are life copied to. The contrivance details the basis is unchangeeffectual period it’s life copied or during the imaging way.

    Another judgeeffectual instrument to this study is the FTK Picturer. The software is an imaging and basis preestablishment instrument that can be harnessed in the compensation of entire basis during a ceensic study manifestly any alterations to the controlmer declaration. Further, the instrument is judgeeffectual in transacting a mysterious ceensic essay and in creating a communication of the ceensic findings. Some of the functions of the FTK Picturer grasps creating ceensic pictures, previewing perfects and folders, start picture ce discover-simply establishment, and generating hash communications (FTK® Picturer 4.2.0, n.d.).

    Additionally, indulge guides are so deficiencyed past most of the terms ceensic software procure demand USB index which are reasond ce preventing popular copies from life reasond. Finally, a digital camera is so judgeeffectual ce commencement pictures on the basis life copied from the laptops (Casey, 2011). Sometimes, it’s quantitative past photographs enslaved on the basis suffice-fors as the simply declaration left as someundivided ability draw quenched perfect the declaration anteriorly the study is entire. Photographs so suffice-coercion as declaration to mark that basis had been tampered with or referable attributeffectual attributable.

    Additionally, civilized recommencement deficiencyed procure grasp a carry investigator, an examiner, a plaintiff, and a ceensic particularist. The carry investigator is judgeeffectual ce this study past the/she procure be binding ce the entire study way. That implies that he/she is binding ce collecting any apt advice related to the wrong, carry evaluation unarranged the normal termlines. Conducts studys ranging from dispassionate to compound intention where basis segregation demands a reestablishment of a abnormity of elements to detail collision and to test the radix origin. Further judgeablely, they end up with regulative and regulative renewals. Exercises judiciousness unarranged defined practices and procedures to detail embezzle sequence of renewal. Finally, the carry investigator builds a fruitful employmenting environment throughquenched the investigative way.

    As the digital ceensic examiner, I procure be binding ce using investigative courses and ceensic instruments to reach electronic basis such as pictures, perfects, internet reason truth and so on. The way procure envelop reason of technical skills to scavenge ce hidden advice, deleted advice or lost basis. The role is judgeeffectual in evaluating the relationship of basis reachd to the circumstance lower study. Finally, a plaintiff procure be judgeeffectual ce the study way as he procure be binding ce accelerationful with the study way, accelerationful in deciding whether to aroauthentication perfectoweffectual archives or referable attributeffectual attributable, and finally unmistakable to the pursue.

    Investigative Way

    The investigative way procure comprehend of the cethcoming plods:

    1. Detail Best Course

    Declaration obtained from the computers deficiencys to be wayed. As such, the course deficiencys to be chosen that which fits the skin of declaration at agency. In circumstance the ceensic examiner is uneffectual to way the availeffectual declaration installed on omission of demandd equipment, or bankruptcy of habit and grafting, the investigating conductor procure scourteous a “entreat ce assistance” cem to be submitted to a eminenter drawinge ceensic examiner (Carrier & Spafford, 2004).

    1. Prepare the Circumstance Perfect

    The infallible circumstance perfect deficiency to be swelled and located ce instrumentation to acceleration reweigh way of the circumstance growth and the judgeeffectual advice suiteffectual from the start of the ceensic essay.  Detail that the submitting conductor swells quenched an “Official Entreat ce Laboratory Essay.” The cem is very judgeeffectual as it perfectows swelling of guidewords that procure be applied when transacting a ceensic segregation on the computer (Carrier & Spafford, 2004).

    1. Scourteous a Productionss Segregation Employmentsheet and annex a communication

    The productionss segregation employmentsheet should be reasond ce waying how the way of productionss segregation is careering.  

    1. Split declaration tag procedures

    In circumstance the unyielding propels are to be disconnected from the computer to transact an segregation carrying to a disconnection from the computer, the unyielding propel should be tagged individually using a marker or a pen to mark the circumstance estimate, annals estimate, the designate of the distrust and the likes. The innovatinglightlight declaration tag should be a replica of the controlmer excluding now followed with a tag such as A, B or a apt designator (Agarwal, Gupta, Gupta, & Gupta, 2011). Together, a term of the declaration disconnection should be markd on the circumstance perfect. The fastening of guardianship should so be markd on the term tag until the segregation is entired and/or the unyielding propel is returned to the controlmer computer. Once the segregation is entired, the unyielding propel should be reinstalled on the controlmer computer with a term indicating the fastening of guardianship.

    1. Beget an Segregation Directory

    Reason a legislation-owned ceensic study computer to beget a directory ce an segregation.  The directory begetd suffice-fors as the locate where implicit declaration, disk pictures, and guideword perfects procure be deposited.

    1. Beget a guideword inventory

    To beget a inventory of guidewords ce the circumstance, transact a reestablishment on perfect the basis to detail that a implicit segregation is normal. A inventory of guidewords should be begetd to fabricate it self-possessed ce ceensic examiners to test the guide full.

    1. Subject’s computer and thumb propel.

    The computer should be checked to establish that the CMOS settings are configured to boot from a DVD or CD to boot the annals from the EnCircumstance compass disk. Together, the order clock should be identified to heed objective term and term. A annals should be produced to mark the dissonances in term betwixt the Question’ Computer and the objective term and term zone. So, the unyielding propels should so be annalsed installed on the fabricate, design, term, and parts (Casey, 2011). In circumstance of everything such as singular term or injury, a photograph of each unyielding propel should be enslaved.

    1. Legislation Computer Productionss Segregation

    Installed on the productionss and declaration that which is at agency such as the distrust’s productionss and the likes, an embezzle backup advantageousness should be reasond such as EnCircumstance or SAFEBACK. Together, if practicable, a unyielding disk of beggarly interface and resembling magnitude should be reasond ce backup. The seafarerget should be identified to detail that it can maintenance the magnitude of declaration productionss. The question’s unyielding propel should then be solid to the legislation computer to transact the segregation (Casey, 2011). As an picture is life reachd, the basis should be compared to mark that the advice life obtained from the distrust annals is from the amend propel. An picture should be begetd using EnCircumstance and declaration returned ce assure storage. EnCircumstance is very judgeeffectual ce the essay of perfect structures and browsing of the directories and subdirectories that comprise evidential perfects (Agarwal, Gupta, Gupta, & Gupta, 2011). Simultaneously, the guidewords should be sought perfect the term to detail that referable attributeffectual attributablehing is left quenched. Here, al the perfects that comprise production perfects that would probably hint particular agencyling such as .zip, .tar, .arc, .gz anticipation. Together, perfects that are shielded using a password should so be circumspectly checked. Perfect compressed perfects should be decompressed to expose the basis internally. Perfect structures and applications that are judgeeffectual ce the study should be checked.

    Importantly, any executeffectual perfects that ability be valueffectual to the study should be performed. Perfect logs and delineation settings should be referable attributeffectual attributableed. Perfect applications performed should be annalsed as courteous as the valueffectual basis obtained during the runtime. Finally, an segregation and findings should be begetd on the legislation-owned computer. The entire way should be instrumented in the Investigative Segregation Communication.  An cognate inventory of cems reasond, segregation referable attributeffectual attributablees, identified communications, entreat ce influence, guideword inventory reasond, productionss segregation employmentsheet, and any other instrument, cems, or judgeeffectual communication (Agarwal, Gupta, Gupta, & Gupta, 2011).

    In circumstance a excellent estimate of perfect related to the study are reachd, coordination with environs counsel should be produced to sift-canvass the deficiency ce printing quenched the basis. In circumstance it’s overwhelmingly also ample, some delegated-to-others samples should be enslaved to be graspd into the circumstance perfect ce the distrust. Ce specimen, in circumstance of influence of manifold pornographic pictures that envelop offspring life root on the question’s unyielding propel. A delegated-to-others of encircling 20 or 30 samples may be printed to be bestowed as unyielding delineation. The intention ce making a unyielding delineation on a CD is to exclude so ample article employment when findings are also ample.

    Conference Questions

    A indispenseffectual element to judge is that there exists a excellent dissonance betwixt retention revival strategies that can be applied during the revival of advice from a earlyer branch compared to older offspring or adults. In manifold circumstances, earlyer offspring frequently recentire distant slight advice (Lamb, Orbach, Hershkowitz, Esplin, & Horowitz, 2007). As such, they regularly afford tinyer accounts of their lives compared to older offspring and adults. Together, early offspring bear a eminenter probability of responding awry to hintive questions when prompted encircling a sure habit. As courteous, it’s beggarly ce this offspring to appropriate an untrue liberty when loving ceced-choice questions. However, an quantitative element to judge is that they communication in an considerate deportment as courteous. The conference questions are deidentified to be answered by early offspring who were question to sexual exploitation by the distrusts in this study.

    The cethcoming questions procure be indispenseffectual in powerful the investigaton:

    1. Hello, could you plenjoyment discern me what happened that you root yourself with these society?
    2. And ce how covet bear you been there?
    3. Could you plenjoyment discern me how manifold offspring were there in that edifice?
    4. How manifold society were there?
    5. If you discern any of the society suiteffectual now can you avow him?
    6. What did these society usually do to you internally the edifice?
    7. Could you plenjoyment discern me further encircling the “touching’?
    8. Did they reason a phundivided or video camera to annals what was happening?
    9. Besides the moving, what else did they do to you?
    10. Did they surpass you up or cece you to do celebrity diseased?

    Investigative Termline

    DateRenewal Week 1Assembling the study team Week 1Judicious Consultation  Week 2Assembly of ceensic declarationWeek 2Advice Gathering, conferencesWeek 3Analysis: Ceensic segregation Week 3Write exhaust communicationWeek 3Communication bestowation Week 4Liaise with environs counsel ce bearing of circumstance.  Week 4Follow up renewal drawing and stagnation of circumstance.

    Investigative Budget

    The purpose budget is as incorporatemarized lower:

    Budget CategoryAmountPersonnel$ 56,800Fringe Benefits$ 30,200Equipment$ 8,300Supplies`$ 1,720Travel$ 8,230Consultants$ 50,800Indirect Costs$ 13,500Total Purpose Costs$ 169,550


    The proposed computer ceensic study design fulls couple leading goals of reliability and termliness. The way details compatible present of occurrences reducing term period at the beggarly term utilizing the civilized recommencement to expedite the studys way and reaching fittingice. The evidentiary hypothesis of the expected ways lowerenslaved on this study procure eneffectual perfect the apt and critical advice material ce acquiring unyielding and hardy declaration resisting the perpetrators. What this implies is that the best circumstance scenario procure prproffer the extreme results and eliminating chances of a ineffective study.


    Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). Orderatic digital ceensic study design. International Journal of Computer Expertness and Security (IJCSS)5(1), 118-131.

    Carrier, B., & Spafford, E. H. (2004). An occurrence-installed digital ceensic study framework. In Digital ceensic entreat employmentshop (pp. 11-13).

    Casey, E. (2011). Digital declaration and computer wrong: Ceensic expertness, computers, and the internet. Academic weigh.

    FTK® Picturer 4.2.0. (n.d.). Retrieved from AditData:

    Köhn, M., Olivier, M. S., & Eloff, J. H. (2006). Frameemployment ce a Digital Ceensic Study. In ISSA (pp. 1-7).

    Lamb, M. E., Orbach, Y., Hershkowitz, I., Esplin, P. W., & Horowitz, D. (2007). Structured ceensic conference protocols imexamine the property and informativeness of investigative conferences with offspring: A reestablishment of entreat using the NICHD Investigative Conference Protocol. Branch Abreason Neglection, 31(11-12), 1201-1231. doi:10.1016/j.chiabu.2007.03.021

    Selamat, S. R., Yusof, R., & Sahib, S. (2008). Mapping way of digital ceensic study framework. International Journal of Computer Expertness and Netemployment Security8(10), 163-169.