Cyber forensics Investigation Process- 2021

Cyber forensics Investigation Process- 2021

  • Admin
  • February 27, 2021
  • 0

Knock on the door! The cyber forensics & information security Investigation Process.

The title means the process of an investigation conducted when a cyber-crime pops up. It’s not a simple task to find the culprit and to serve justice. The process starts before the crimes occur and lots of steps need to follow. It also means what a computer forensics investigator

must do.


Terms and related people in cyber investigation.

Here are some familiar and unfamiliar terms that always pop up during any investigation process including cybercrimes.


EVIDENCE: – This represents a physical or virtual item that links to the crime and culprit with a   complete scope.

ORIGINAL: – The real or source of evidence or the potential evidence we collected from the crime scene.

DUPLICATES/IMAGE: – In most cases, it’s the virtual copy of the original or so to say the image of the original.

SCOPE: – It defines what type of crime we involved in (civil, criminal, administrative)

PLAINTIFF: – The one who files the case or so to say the troublemaker.

DEFENDANT: – The one who defends the case which a plaintiff presented to the court.

WITNESS: – A person who testifies in a cause that links to the crime.



There are mainly three phases, The pre-investigation phase, the Investigation phase, and the Post investigation phase. AS per their names the first one is conducted before we investigate a crime it’s a passive stage. The next one involves people who actually need to interact and do police work which is an active stage the rest is to document post-investigation phases.


Before we get our hands dirty or so to say start the investigation process, there are some prerequisites which we need to follow up. This involves steps like Planning and budgeting, Physical location and structural design consideration, Work area considerations, Physical recommendation, Human resource consideration, Forensics lab licensing, etc.


Now comes the investigation phase. For each action we do from collecting evidence to presenting them to the court we need a chain of command. It denotes who does what, when, and How. Other things involved in this process are First response, Search and seizure, Collect the evidence, Secure the evidence, Data acquisition, Data analysis, etc.


To understand the cyber investigation process, it is necessary to understand the difference between investigative activities and investigative thinking. cyber Investigative activities are related to data collection processes that go into research thinking and outcomes. Research thinking, on the other hand, is a process of data analysis and imagination in order to improve research programs. Let’s look at this difference in a little depth.


Investigation Tasks

Investigative activities are related to the identification of physical evidence, data collection, evidence collection, witness protection, witness interviews, suspicion of suspects, and interrogation. These are important tasks to be studied and performed with high levels of ability to feed a high amount of accurate information into the thought process of the investigation. Criminal investigations are intended to collect, verify, and maintain records in support of the investigative thinking process. Likewise, it is important to learn to master these evidence-gathering activities.


Investigative Thinking

The thinking of the cyber investigation is intended to analyze the data collected, to develop an opinion of what happened, how the event took place, and to build sound reasons for believing. Those valid reasons for belief will identify the suspects and lead to arrests and prosecutions. Research thinking is the process of analyzing evidence and information, looking at other possibilities to find out how the event took place, and determine if it is valid.



No, you should never coinvestigate or snatch an item even if you know that this can be 100% legit evidence. Before we want to seize something, we should get a form signed by the current owner of that item.



The right to conduct a search and seizure of persons or places is an essential part of the investigation and the criminal justice system. The societal interest in maintaining security is an overwhelming consideration that gives the state a restricted mandate to do all things necessary to keep law and order, which includes acquiring all possible information for the investigation of criminal activities, a restriction which is based on recognizing the perils of state-endorsed coercion and its implication on individual liberty. Digitally stored information, which is increasingly becoming a major site of investigative information, is thus essential in modern-day investigation techniques.



Yes, you should never use the original evidence for data analysis or future reference. In-fact after we seize the original item which must a piece of potential evidence. We should make multiple images of the original (if it’s a virtual item such as data, signals, etc.). Then use the duplicates for further study. Because at the last stage we need to present the original toward the court which should be reliable with its integrity proven.


After all, that hustle now comes to the desk job which is documentation and reporting. This is important as much as the investigation process. Sloppy documentation may result in becoming the case null and void. So, we should put as much effort as we did in our two prior phases even if we don’t like desk jobs.

EVALUATION OF EVIDENCE: An assessment of evidence is that a method of associating the information obtained from evidence with an incident to be understood but a complete incident occurs. Evidence testing can be an important phase within the forensics approach. Evaluation of evidence depends on the nature of the incident, the objectives needed to carry out the incident, the open-ended gift of the escalation of the incident, and so on. In all tests, it is necessary to examine the digital evidence in accordance with the scope of the case in order to decide on the course of action.

REPORTING AND REPORTING: A record that is the process of documenting all actions taken by investigators throughout the investigation to obtain the prescribed results. Investigators must keep it in a safe place and take it to the court during the trial. They should document all forensics procedures used to identify, collect, analyze, store, and report evidence in order to provide a reliable report in a court of law and to reduce prosecution.

TESTIFY AS AN EXPERT WITNESS: as the lawyer, prosecutors, and another panel gift in the court of law are overly proficient and unfamiliar with technical details about crime, evidence, and disappearance, investigators should contact licensed personnel who may appear within the court to verify the accuracy of procedures and information. A witness can be one who contains full details of the theme and qualifications that will make others believe his or her views on what has been identified in a court of law.




Building No:65/1094-A, First Floor, Kassim Building, Sebastian Road, opposite Max, Kaloor, Ernakulam, Pin:682017

Enquire now