CHAPTER 55

CYBER INVESTIGATION¹

Peter Stephenson

55.1 INTRODUCTION

55.1.1 Defining Cyber Investigation

55.1.2 Distinguishing between Cyber Forensics and Cyber Investigation

55.1.3 DFRWS Framework Classes

55.2 END-TO-END DIGITAL INVESTIGATION

55.2.1 Collecting Evidence

55.2.2 Analysis of Individual Events

55.2.3 Preliminary Correlation

55.2.4 Event Normalizing

55.2.5 Event Deconfliction

55.2.6 Second-Level Correlation

55.2.7 Timeline Analysis

55.2.8 Chain of Evidence Construction

55.2.9 Corroboration

55.3 APPLYING THE FRAMEWORK AND EEDI

55.3.1 Supporting the EEDI Process

55.3.2 Investigative Narrative

55.3.3 Intrusion Process

55.3.4 Describing Attacks

55.3.5 Strategic Campaigns

55.4 USING EEDI AND THE FRAMEWORK

55.5 MOTIVE, MEANS, AND OPPORTUNITY: PROFILING ATTACKERS

55.5.1 Motive

55.5.2 Means

55.5.3 Opportunity

55.6 SOME USEFUL TOOLS

55.6.1 Link Analysis

55.6.2 Attack-Tree Analysis

55.6.3 Modeling

55.7 CONCLUDING REMARKS

55.8 FURTHER READING

55.9 NOTES

55.1 INTRODUCTION.

Cyber investigation (also widely known as digital investigation) as a discipline has changed markedly since publication of the fourth edition of this Handbook in 2002. In 1999, when Investigating Computer Related Crime² was published, practitioners in the field were just beginning to speculate as to how cyber investigations would be carried out. At that time, the idea of cyber investigation was almost completely congruent with the practice of computer forensics. Today (as this is being written in April 2008), we ...