CHAPTER TWELVE

Investigation

Incident Closure

I think I did pretty well, considering I started out with nothing but a bunch of blank paper.

—Steve Martin

THE EFFORT REQUIRED in the next phases of an investigation is as systematic and thorough as any of those previously discussed. Although the process is fairly linear (see Figure 12.1), the “steps” of the investigative process are not necessarily successive or consecutive; they may overlap and vary depending upon case. Phases themselves allow for specific customization suiting various requirements: legal, lawful, corporate, or otherwise.

FIGURE 12.1 Steps in the Investigation Process

image

FORENSIC INVESTIGATIVE SMART PRACTICES

STEP 5: INVESTIGATION (CONTINUED)

“in•ves•ti•ga•tion”

1. The action of investigating something or someone; formal or systematic examination or research.

2. A formal inquiry or systematic study.

In some circumstances, a cyber forensic investigation could be defined as simply the action of extracting data to meet a given search criteria; something easily accomplished in an automated manner. This definition could certainly apply if under contractual obligation or court order. The “Sherlock Holmes” aspect of an investigation may not always present itself; the investigation may be strictly limited to the search criteria.

At times, a cyber forensic investigator can become over sensitized to the systematic nature ...

Get Cyber Forensics: From Data to Digital Evidence now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.