Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Standard Operating Procedures for Digital and Multimedia Evidence Forensics, Schemes and Mind Maps of Cybercrime, Cybersecurity and Data Privacy

Symbiosis Skills and Open UniversityCybercrime, Cybersecurity and Data Privacy

A comprehensive guide on implementing standard operating procedures (sops) for digital and multimedia evidence forensics. It covers pre-investigation data collection, evidence gathering and packaging, interviewing accused and witnesses, reporting and interpretation, chain of custody, digital evidence collection, and digital media forensic collection. The guide emphasizes the importance of maintaining the integrity of digital evidence, documenting procedures, and following a precise chain of custody to ensure authenticity and conservation of evidence.

Typology: Schemes and Mind Maps

2023/2024

Uploaded on 03/19/2024

6055-darshan-rawal
6055-darshan-rawal šŸ‡®šŸ‡³

1 document

1 / 6

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Skill-02
Name: Darshan S Rawal Code: CS801
Prn: 2001106055 Sub:Cyber Crime
Standard Operating Procedures for investigations
A. Importance of SOPs in the Investigation
ā€¢ Standard Operating Procedures (SOPs) are documents specific to an agency that outline the steps and
techniques to be taken when carrying out regular tasks. SOPs are necessary to implement uniformity
and improve quality.
procedures for carrying out tasks related to digital and multimedia evidence forensics precisely and
accurately. SOPs ought to be task-based and documented for every action taken. They ought to be
examined at least once a year. An SOP's earlier approved versions ought to be kept on file for future
use.
ā€¢ From securing the scene to determining which media to gather, etc., to filing the charge sheet and
presenting the evidence in court, the SOPs direct us as we develop each step of the investigation
process. It is evident that standard methods and procedures are necessary for an investigation in an
automated environment due to the nature and legality of digital evidence for the following primary
reasons:
ā€¢ It is necessary to collect evidence in a manner that a court of law will accept. If standard operating
procedures are developed and adhered to, this will be simpler.
ā€¢ In cases with cross-departmental and cross-national repercussions, this will also make the exchange of
evidence easier, particularly if investigators from all departments and nations gather evidence in a
comparable way.
ā€¢ All precautions must be taken to prevent anything from accidentally corrupting the data or causing any
other type of damage. This risk of damage is reduced when standard operating procedures and methods
are followed. It is sometimes inevitable that during the examination process, some data will be
overwritten or altered. Therefore, in order to be able to explain the causes and effects in a court of law
later on, it is necessary to have a thorough understanding of the technology being examined as well as
to document it.
ā€¢ A few major contributing factors to inappropriate evidence gathering are shoddy policy writing, an
undefined incident response plan, and inadequate incident response training. This could cause the chain
to break.
B. Standard operating procedures cybercrime- flowchart
Pre-investigation Data Collection:
pf3
pf4
pf5

Partial preview of the text

Download Standard Operating Procedures for Digital and Multimedia Evidence Forensics and more Schemes and Mind Maps Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!

Skill- 02 Name: Darshan S Rawal Code: CS Prn: 2001106055 Sub:Cyber Crime

Standard Operating Procedures for investigations

A. Importance of SOPs in the Investigation

  • Standard Operating Procedures (SOPs) are documents specific to an agency that outline the steps and techniques to be taken when carrying out regular tasks. SOPs are necessary to implement uniformity and improve quality. procedures for carrying out tasks related to digital and multimedia evidence forensics precisely and accurately. SOPs ought to be task-based and documented for every action taken. They ought to be examined at least once a year. An SOP's earlier approved versions ought to be kept on file for future use.
  • From securing the scene to determining which media to gather, etc., to filing the charge sheet and presenting the evidence in court, the SOPs direct us as we develop each step of the investigation process. It is evident that standard methods and procedures are necessary for an investigation in an automated environment due to the nature and legality of digital evidence for the following primary reasons:
  • It is necessary to collect evidence in a manner that a court of law will accept. If standard operating procedures are developed and adhered to, this will be simpler.
  • In cases with cross-departmental and cross-national repercussions, this will also make the exchange of evidence easier, particularly if investigators from all departments and nations gather evidence in a comparable way.
  • All precautions must be taken to prevent anything from accidentally corrupting the data or causing any other type of damage. This risk of damage is reduced when standard operating procedures and methods are followed. It is sometimes inevitable that during the examination process, some data will be overwritten or altered. Therefore, in order to be able to explain the causes and effects in a court of law later on, it is necessary to have a thorough understanding of the technology being examined as well as to document it.
  • A few major contributing factors to inappropriate evidence gathering are shoddy policy writing, an undefined incident response plan, and inadequate incident response training. This could cause the chain to break. B. Standard operating procedures cybercrime- flowchart Pre-investigation Data Collection:
  • Received Complaint: We receive and record any complaints or reports of cybercrime activity.
  • Pre-investigation Assessment: To ascertain the type and gravity of the purported cybercrime, a preliminary assessment is conducted.
  • Preservation of the Issue: To avoid alteration or loss, pertinent data and evidence are located and kept safe. Making Decisions Regarding the Legal Process:
  • Criminal Offence Determination: Determine whether, in accordance with applicable laws, the reported activity qualifies as a criminal offence.
  • Infractions under Section 43: For infractions under Section 43 of applicable laws, contact the relevant authority if the behaviour does not qualify as a criminal offence.
  • File a First Information Report (FIR): To start a formal investigation process, file a First Information Report (FIR) if the activity is considered a criminal offence. Recognition and Record-Keeping:
  • Crime Scene Documentation: Take a close look at the crime scene, both physically and digitally.
  • Record the current status of any systems, networks, or devices used in the crime.
  • To document the scene, take thorough written notes, film, and take pictures. Gathering Proof from Witnesses and Outside Service Providers:
  • Assess the Expertise Needed for Evidence Collection: Find out if specific knowledge is needed to gather evidence.
  • If assistance is required, consult forensic experts or technical specialists.
  • Gathering and packaging of evidence:
  • Collect digital proof, including files, logs, and communication records.
  • To preserve its integrity, gathered evidence must be packaged and labelled correctly.
  • Interviewing Accused and Witnesses: Speak with witnesses and suspects, as well as anyone else who may know pertinent details about the incident. Reporting and Interpretation:
  • Examine forensic evidence gathered from digital devices or networks in the forensic analysis report.
  • Provide thorough reports outlining the results of any investigations into system intrusions, data breaches, or other cybercrimes.
  • Gathering Information and Reports:
  • Compile all pertinent reports, witness statements, forensic analysis reports, and other supporting materials. Complete Report:
  • Put together all of the analysis, findings, and recommendations into a thorough final report.
  • Provide information on the investigation's methodology, the evidence gathered, the analysis's conclusions, and suggestions for additional action or legal action. C. Search and seizure The various steps that are involved in performing a panchanama and looking into a digital crime scene are outlined in this section. Because digital evidence is more delicate and prone to manipulation than traditional crime scenes, great care and precautions must be taken during the collection, preservation, transportation, and examination of evidence at digital crime scenes.
  • First and foremost, in order to avoid intervention, it is crucial to identify the crime's online location and guarantee that its integrity is preserved.
  • Examine the evidence carefully and record its condition. For example, take pictures of a hard drive before you access its data.
  • Use security measures, such as physical locks and keeping duplicate copies kept in different places, to protect evidence from damage or theft.
  • When handling electronic evidence, use caution to avoid physical abrasions or damage from magnetic fields.
  • Restrict authorised personnel's access to the evidence in order to reduce the possibility of misunderstandings or mistakes.
  • To ensure proper labelling and identification of evidence, use specialised documentation forms to track its movement and handling with precision.
  • Use methods like hashing to ensure the evidence's integrity and that it hasn't been changed or tampered with while being investigated. F. Digital Evidence Collection One essential tool in the forensic field is the Digital Evidence Collection (DEC) form, which acts as a kind of invoice for digital evidence that is collected over the course of an investigation. Its main purpose is to make sure that the evidence is collected accurately and that it can be repeated, ensuring that the procedures used to gather each piece of evidence are carefully documented to guarantee consistent results. The DEC form is conceptually similar to an extensive check list or recipe card for gathering digital evidence, as it carefully records observable information like the kind of software, version, and length of the collection procedure. It carefully logs every nuance of the evidence, including the details of the device from which the data originated and its final destination. For example, when gathering evidence from a laptop, the DEC form would record information such as the specs of the laptop, its serial number, the data extraction software, and the operation's timestamp. When taking a picture of the laptop's hard drive, all the information is documented, including the technique used, the forensic programme that was used, and the hash value that was specific to verify the integrity of the data. Typically, the DEC form includes a number of essential components, including:
  • Particular case number and applicable statutes.
  • Information about the location and custodian of the evidence.
  • Details about the device, such as its type, make, model, and unique identification.
  • Details regarding the storage of evidence, including the type of media (e.g., USB, HDD) and its specifications.
  • documentation of the forensic software used, safeguards against data manipulation, and extra observations on the data collection process. The DEC form would painstakingly record information about the source computer, hardware specs, software used for forensic duplication, and any relevant notes about the collection process or encountered difficulties, for instance, in cases involving stolen software. This could involve making notes about the state of the computer, the credentials needed to access it, and the exact steps taken to ensure the integrity of digital evidence from the point of creation to the point of collection. G. Digital Media Forensic Collection
  • Digital forensic collection of digital media is similar to a detective's work in the digital world. Thorough preparation is necessary before interacting with the digital crime scene. This entails thorough reconnaissance in order to obtain information about the people concerned and the variety of electronic

devices that are in place. These kinds of preparatory actions help identify which devices need more examination.

  • When the investigating officer has the necessary equipment and knowledge, they can conduct on-site forensic imaging, which creates data copies right there at the crime scene. Alternatively, the devices are confiscated for further examination in the event that on-site imaging is not practical. Even though it adds to the workload, occasionally, devices of unknown significance are also gathered as a precaution.
  • This expedition pack-style toolkit is specifically designed for this kind of work. It includes markers and adhesive labels, among other instruments for exacting labelling and documentation. Also, a variety of screwdrivers and other tools are essential for disassembling devices without sacrificing their integrity. In addition, measures for the safe packaging and conveyance of gadgets are necessary. These measures should include bubble wrap, sturdy containers, and antistatic bags to prevent electrostatic damage. Faraday Bags are used for mobile devices that need to be isolated from networks in order to avoid location tracking or remote manipulation.
  • In order to ensure thorough investigation even in low light, essential accessories include gloves to prevent fingerprint contamination, a magnifying glass for detailed inspection, and a small torch for illuminating obscure areas. H. Collecting Digital Evidence The procedure for gathering digital evidence at a crime scene that includes a turned-off device, like a computer, usually entails the following steps:
  • Make sure the scene is preserved by not interacting with anyone else or using any electronics, such as turning off Wi-Fi or Bluetooth signals.
  • Check to make sure the computer is turned off; sometimes, it might be in sleep mode.
  • Remove the computer's power supply safely, and do not start the computer's boot up process.
  • Either take pictures of the setup or make thorough sketches, making sure to note how the cables and other parts are arranged for precise reassembly.
  • Locate and identify the computer system's internal hard drive methodically, making note of any relevant information.
  • If they are available, collect any further materials that might be used as evidence, like notes or documents that might include pertinent data like login passwords.
  • Make sure to record every action you take and every observation you make in detail so you can refer to it later and analyse it. When working with live devicesā€”especially working computersā€”the process of gathering digital evidence entails several crucial steps:
  • To stop unauthorised access or device tampering, create a controlled environment.
  • Make careful use of labelling and documentation techniques; if needed, take a picture or sketch of the device setup for future replication.
  • In order to guard against any possible data loss or alteration, disconnect the computer from all external networks and devices.
  • Record what's on the screen with pictures or text without having to touch the device; it might just need a small amount of adjustment, like dragging the mouse pointer over the screen to make it visible.
  • If one is available, get in touch with a technical specialist to help with data extraction from the computer's memory that doesn't jeopardise system stability. Depending on the device's power state, different approaches apply when working with mobile phones: