Overview

• Digital Forensic Science: The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting and possible expert presentation.

• International Organization for Standardization (ISO): Standard for Digital Forensics.

• ISO 27307: “Information technology — Security techniques, Guidelines for identification, collection, acquisition and preservation of digital evidence.” Defines the personnel and methods for acquiring and preserving digital evidence.

• Federal Rules of Evidence (FRE): Created to ensure consistency in federal proceedings.

• FBI’s Computer Analysis and Response Team (CART): Formed in 1984 to handle the increase in cases involving digital evidence.

  • CART teamed up with the Department of Defense Computer Forensics Laboratory (DCFL) for research and training.

• The Fourth Amendment to the U.S. Constitution protects everyone’s right to be secure in their person, residence, and property from search and seizure.

Digital Forensics and Other Related Disciplines

• Digital Forensics: Used to investigate data that can be retrieved from a computer’s hard drive or other storage media.

• Data Recovery: Involves retrieving information that was deleted by mistake or lost during a power surge or server crash.

• Inculpatory Evidence: Evidence that shows, or tends to show, a person’s involvement in an act, or evidence that can establish guilt.

• Exculpatory Evidence: Evidence that tends to clear the suspect.

• Forensics investigators often work as part of a team to secure an organization’s computers and networks.

Investigations Triad

• Vulnerability/threat assessment and risk management.

  • Penetration Testers: People who work in this group.

  • This integrity check includes both the operating system and application security as well as the physical security of systems.

  • Their task is to find vulnerabilities in the network so that an organization can be better ready for an actual attack.

• Network intrusion detection and incident response.

  • This group detects intruder attacks by using automated tools and monitoring network firewall logs.

  • When an external threat is identified, the response team locates, traces down, and pinpoints the intrusion technique and blocks further network access.

  • This team gathers the essential evidence in the case that an intruder launches an attack that results in harm or the threat of damage.

    • This evidence can then be utilized to prosecute the intruder in court or to deter future incursions.

  • The network intrusion detection and incident response team may help identify an internal user if they are involved in unlawful behavior or policy violations.

• Digital investigations.

  • This group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime.

  • This group utilizes employees with expertise in risk management, network intrusion detection, and incident response when working on challenging cases.

  • Case investigations are often concluded or closed by the digital investigations group.

A Brief History of Digital Forensics

• During the 1970s, electronic crimes were increasing, especially in the financial sector.

  • White-collar fraud began when people in these industries saw a way to make money by manipulating computer data.

  • One of the most well-known crimes of the mainframe era is the one-half cent crime.

    • If the interest applied to an account resulted in a fraction of a cent, that fraction was used in the calculation for the next account until the total resulted in a whole cent.

    • It was assumed that eventually every customer would benefit from this averaging.

    • Some computer programmers corrupted this method by opening an account for themselves and writing programs that diverted all the fractional monies into their accounts.

• Most law enforcement officers didn’t know enough about computers to ask the right questions or to preserve evidence for trial.

  • Many began to attend Federal Law Enforcement Training Center (FLETC) programs designed to train law enforcement in handling digital data.

• As PCs gained popularity and began to replace mainframe computers in the 1980s, many different OSs emerged.

  • Apple released the Apple IIe in 1983 and then the Macintosh in 1984.

  • Computers such as the TRS-80 and Commodore 64 were the machines of the day.

  • CP/M machines, such as the Kaypro and Zenith, were also in demand.

• Forensics tools at that time were simple, and most were generated by government agencies. Most tools were written in C and assembly language and weren’t available to the general public.

• Xtree Gold: It recognized file types and retrieved lost or deleted files; a new tool that appeared in the mid 1980s.

  • Norton DiskEdit followed which became the preferred tool for finding and recovering deleted files.

• Mac SE: Produced by Apple in 1987; a Macintosh with an external EasyDrive hard disk with 60MB storage.

• International Association of Computer Investigative Specialists (IACIS): Introduced training on software for digital forensics examinations, and the IRS created search warrant programs.

• No commercial GUI software for digital forensics was available until ASR Data created Expert Witness for Macintosh.

  • This software could recover deleted files and fragments of deleted files.

• ILook: Currently maintained by the IRS Criminal Investigation Division and limited to law enforcement, can analyze and read special files that are copies of a disk.

• AccessData Forensic Toolkit (FTK): Has become a popular commercial product that performs similar tasks in the law enforcement and civilian markets.

Understanding Case Law

• Existing laws and regulations are incapable of keeping up with the rate of technological advancement.

• To avoid errors such as exceeding the authority of a search warrant, examiners must be aware of recent court decisions on search and seizure in the online world.

• As a consequence of recent privacy violations by government entities, new rules and procedures have been created.

• Law enforcement may seize and record any items a detained person is carrying, but they may not have the right or authority to search those items.

• To be a successful digital forensics investigator, one must maintain vigilance and stay abreast of changing case law.

Developing Digital Forensics Resources

• To be successful as an investigator of digital forensics, you must be conversant with multiple computing platforms.

• To expand your knowledge, you should cultivate and maintain relationships with digital, network, and investigative experts.

• Join computer user groups in both the public and private sectors.

  • Computer Technology Investigators Network (CTIN): Meets to discuss problems that digital forensics examiners encounter. This nonprofit organization also conducts training.

  • High Technology Crime Investigation Association

  • International Information Systems Security Certification Consortium

  • InfraGard.

• Create your own network of digital forensics specialists and communicate with them via email. Develop professional relationships with individuals who specialize in technical fields distinct from your own.

• When researching obscure operating systems, user communities can be especially useful.

• Experts from the outside can also provide you with the specific information required to retrieve digital evidence.

Preparing for Digital Investigations

• Public-sector investigations involve government agencies responsible for criminal investigations and prosecution.

  • Government agencies range from municipal, county, and state or provincial police departments to federal law enforcement agencies.

• Private-sector investigations focus more on policy violations.

  • Although private-sector investigations often start as civil cases, they can develop into criminal cases; likewise, a criminal case can have implications leading to a civil case.

Understanding Law Enforcement Agency Investigations

• Create your own network of digital forensics experts and email them to communicate. Develop professional relationships with people who are experts in technical disciplines distinct from your own.

• User communities can be especially helpful when researching obscure operating systems.

• You can also obtain the specific information necessary to retrieve digital evidence from outside sources.

• To determine whether there was a computer crime, an investigator asks questions such as the following:

  • What was the tool used to commit the crime?

  • Was it a simple trespass?

  • Was it a theft or vandalism?

  • Did the perpetrator infringe on someone else’s rights by cyberstalking or e-mail harassment?

• Numerous heinous offenses involve computers, smartphones, and other electronic devices. The most infamous crimes involve the sexual exploitation of juveniles.

• Internet-based digital images are stored on hard drives, flash drives, removable hard drives, and the cloud.

• Other computer offenses involve missing children and adults due to the prevalence of missing person information on computers.

• On their computers, laptops, smartphones, and other devices, drug dealers, auto theft rings, and other criminals frequently store transaction-related data.

Following Legal Processes

• Typically, a criminal investigation begins when someone discovers evidence or witnesses an unlawful act.

• The witness or victim makes a factual allegation to the police that a crime has been committed.

• A police officer interviews the complainant and writes a report about the crime.

• The law enforcement agency processes the report, and management decides to start an investigation or log the information into a police blotter, which provides a record of information about crimes that have been committed previously.

• Criminals often repeat actions in their illegal activities, and these patterns can be discovered by examining police blotters.

• Digital Evidence First Responder (DEFR): Has the skill and training to arrive on an incident scene, assess the situation, and take precautions to acquire and preserve evidence.

• Digital Evidence Specialist (DES): Has the skill to analyze the data and determine when another specialist should be called in to assist with the analysis.

• If you’re an examiner assigned to a case, recognize the level of expertise of police officers and others involved in the case.

  • You should have DES training to conduct the examination of systems and manage the digital forensics aspects of the case.

• In a criminal or public-sector case, if the police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit an affidavit.

  • Before seizing evidence, this sworn statement supporting facts or evidence of a crime is submitted to a judge along with a search warrant application.

  • You are responsible for composing the affidavit, which must include exhibits (evidence) to support the allegation and justify the warrant.

  • Then, you must have the affidavit notarized under oath to confirm that the information is accurate.

• After a judge approves and signs a search warrant, it is available for execution, at which point a DEFR may collect the evidence specified in the warrant.

  • After collecting evidence, it is processed and analyzed to determine whether or not a crime occurred. The evidence may then be presented in court during an examination or prosecution.

  • Then, a judge or administrative law judge renders a decision, or a jury reaches a verdict (after which a judge can enter a judgment).

Understanding Private-Sector Investigations

• Private corporations and attorneys investigate violations of company policy and litigation disputes, such as unlawful termination, as part of private sector investigations.

• When conducting an investigation for a private company, keep in mind that the business must operate with minimal interruption.

• Many in the private sector regard your investigation and capture of a suspect as secondary to preventing the violation and minimizing business losses.

• In addition, businesses strive to reduce or eradicate litigation, a costly method of resolving criminal or civil issues.

• Private sector computer crimes include e-mail harassment, gender and age discrimination, white-collar crimes such as data falsification, embezzlement, and sabotage, and industrial espionage, which entails selling sensitive or confidential company information to a competitor.

Establishing Company Policies

• Businesses can reduce their risk of litigation by publishing and maintaining policies that are simple for employees to read and implement.

• The most important policies are those defining rules for using the company’s computers and networks; this type of policy is commonly known as an “acceptable use policy.”

• Published company policies additionally establish a line of authority for conducting internal investigations; they specify who has the legal authority to start an investigation, who can take control of evidence, and who has access to evidence.

• Well-defined policies give computer investigators and forensics examiners the authority to conduct an investigation.

  • In addition to demonstrating that an organization intends to be fair and objective in its treatment of employees, policies state that the organization will adhere to due process for all investigations.

  • Due Process: Refers to fairness under the law and is meant to protect all.

• Without defined policies, a business risks exposing itself to litigation from current or former employees.

  • The individual or committee responsible for maintaining the company's policies must also be up-to-date on local, state, and federal laws, which can vary by location.

Displaying Warning Banners

• Warning Banner: Appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

  • End User: A person using a computer to perform routine tasks other than system administration.

• Warning banner notifies the user and asserts the right to conduct an investigation.

• Before using these warnings, check with your organization's legal department to determine if additional legal notices are required for your work area or department.

• The following list recommends phrases to include in warning banners.

  • This system and network have restricted access.

  • This system and network may only be used for official purposes.

  • Systems and networks are subject to proprietor monitoring at any time.

  • Utilization of this system constitutes assent to monitoring by the owner.

  • Users of this system or network who are unauthorized or in violation of the law will be disciplined or prosecuted.

  • Users of this system acknowledge that they have no expectation of privacy with regard to any activity conducted on this system.

• Without a banner, your right to examine can infringe on the user's expectation of privacy, necessitating judicial resolution of the matter.

Designating an Authorized Requester

• Companies are recommended to designate a designated requester with the authority to launch investigations.

• In order to prevent conflicts between conflicting interests in companies, executive management should develop a policy.

• When departments are vying for the same source of cash, it can become so fiercely competitive that workers may fabricate accusations of misbehavior or managerial support.

• Executive management must also specify and place restrictions on who is allowed to ask for a computer investigation and forensics analysis in order to prevent unauthorized investigations.

• Examples of groups with this authority in a private-sector environment include the following:

  • Corporate security investigations

  • Corporate ethics office

  • Corporate equal employment opportunity office

  • Internal auditing

  • The general counsel or legal department

Conducting Security Investigations

• Three types of situations are common in private-sector environments:

  • Abuse or misuse of digital assets: Often center on e-mail and Internet misuse by employees but could involve other digital resources.

  • E-mail abuse: Transmitting offensive messages.

  • Internet abuse: Excessive viewing of contraband images;

• Company Rules Violation: The misuse of rules.

Maintaining Professional Conduct

• As a digital investigator, your professionalism is crucial since it establishes your reputation.

• You must always act professionally at the greatest level as a professional.

• Throughout an investigation, you must remain impartial and discreet, consistently advance your technical expertise, and act with honesty.

• It is ultimately your obligation to locate pertinent digital evidence.

• To retain the objectivity of your fact-finding in all investigations, you must avoid prejudice or bias.

• Also, you must uphold the investigation's integrity by remaining discreet.

• It is necessary to get the lawyer's permission before discussing the issue with anybody else.

• You ought to keep up with the most recent advancements in forensic tools, networking, and computer hardware and software.

• You should also educate yourself on the most recent investigative methods that you might apply to your cases.

• Additionally, you might need to advance or extend your formal education by earning certifications, for example. If you have at least an undergraduate degree in computing or a related discipline, you elevate your professional position.

• You are required to act honestly and morally as a digital forensics and investigator. You must always act with the utmost honesty in all facets of your life.

Preparing a Digital Forensics Investigation

• Chain of Custody: The route evidence takes from the time you find it until the case is closed or goes to court.

Computer Crime

• Law enforcement officers often find computers, smartphones, and other devices as they’re investigating crimes, gathering other evidence or make arrests.

• These devices can contain information that helps law enforcement officers determine the chain of events leading to a crime or information providing evidence that’s more likely to lead to a conviction.

• The lead detective on the case wants you to examine the computer and cell phone to find and organize data that could be evidence of a crime.

• The acquisitions officer gives you documentation of items the investigating officers collected with the computer, including a list of other storage media, such as removable disks and flash drives.

  • They also note that the computer is a Windows 8 system, and the machine was running when it was discovered.

  • Before shutting down the computer, the officer photographs all open windows on the Windows desktop, including one showing File Explorer, and gives you the photos.

Taking a Systematic Approach

• Choose the kind of case you are looking at at first.

• Establish a rough plan or strategy for the case.

• Make a thorough check list.

• Identify the resources you require.

• Acquire and copy a proof drive.

• Determine the dangers.

• Reduce or mitigate the dangers.

• Analyze the design.

• Investigate and gather the digital proof.

• Examine the recovered data.

• Finish writing the case report.

• Analyze the case.

Assessing the Case

• Know the circumstances.

• Verify the case's specifics.

• Consider the particulars of the situation.

• Knthe type of evidence to be used.

• What disk format is currently in use?

• Where is the proof?

Planning Your Investigation

Pick up the USB disk that was packed and labeled with the evidence from the IT department.

• Create a chain of custody and fill out an evidence form.

• Bring the evidence to your lab for digital forensics.

• Put the proof in an authorized, secure container.

• Your forensic workstation should be ready.

• Get the proof from the safe container.

• A forensic copy of the evidence drive should be made.

• the safe container with the evidence drive.

• Use your digital forensics tools to analyze the duplicated evidence drive.

Evidence Custody Form

• Case number: The number your organization assigns when an investigation is initiated.

• Investigating organization

• Investigator

• Nature of case: A short description of the case.

• Location evidence was obtained.

• Description of evidence.

• Vendor name: The name of the manufacturer of the computer component.

• Model number or serial number.

• Evidence recovered by: The name of the investigator who recovered the evidence.

• Date and time.

• Evidence placed in the locker.

• Item Number

• Evidence processed by:

• Disposition of evidence

• Page: The forms used to catalog all evidence for each location should have page numbers.

Securing Your Evidence

• To protect and record the evidence found in powerful computer components,

• You can make use of large evidence bags, tape, tags, and other items that are sold by police supply companies or office supply retailers.

• Be sure the products you use to secure your computer evidence are both efficient and safe to use on computer parts.

• Handling computer parts with care will help you prevent breaking them or getting into contact with static electricity, which can corrupt digital data.

• Make sure you use antistatic bags to gather digital evidence.

• Place computer evidence in a sturdy container with plenty of padding.

• A certain range of humidity and temperature is needed for computer components.

Procedures for Private-Sector High-Tech Investigations

Employee Termination Cases

• Employee misuse of business resources is the focus of the majority of termination investigation work.

• The majority of cases studied involve incidents that foster a hostile work environment, such watching porn in the office or sending inappropriate emails.

• It is advised that you seek particular guidance on how to manage these inquiries from your company's general counsel and human resources department.

Internet Abuse Investigations

• To conduct an investigation involving Internet abuse, you need the following:

  • The Internet proxy server records of the company

  • Suspect the IP address of the computer that the network administrator of your company provided.

  • Suspect the hard drive in the PC.

  • Your go-to digital forensics investigation tool.

• The following steps outline the recommended processing of an Internet abuse case:

  • For the disk drive inspection, follow the common forensic analysis techniques and procedures outlined in this book.

  • Find and collect all URLs to Web pages and other related data.

  • If a proxy server log is available, get in touch with the network firewall administrator and ask for the network device name or IP address for the suspect machine during the relevant dates.

  • To ensure that they correspond, compare the data obtained through forensics analysis with the network server log data.

  • Continue examining the drive data of the suspect machine and gather any pertinent images or Web pages that support the allegation if the URL data is consistent with the network server log and the results of the forensic disk investigation.

  • Report that the claim is unfounded if there are no matches between the network server logs and the forensic investigation reveals no supporting evidence.

E-mail Abuse Investigations

• The following list is what you need for an investigation involving e-mail abuse:

  • A digital copy of the offending email that includes the message headers; speak to the administrator of your email server.

  • Email server log records, if they are available; check with your email server administrator to see if they are.

  • Access to the server; speak with your email server administrator for email systems that keep user communications on a central server.

  • Access to the computer so that you can do a forensic investigation on it, for example, for email systems that save users' messages on a computer as an Outlook.pst or.ost file.

  • Your go-to digital forensics investigation tool.

• The following steps outline the recommended procedure for e-mail investigations:

  1. For computer-based email data files, such as Outlook .pst or .ost files, use the standard forensics analysis techniques and procedures described in this book for the drive examination.

  2. For server-based email data files, contact the e-mail server administrator and obtain an electronic copy of the suspect’s and victim’s email folder or data.

  3. For Web-based e-mail (Gmail, for example) investigations, search for Internet keywords to extract all related e-mail address information.

  4. Examine header data of all messages of interest to the investigation.

Attorney-Client Privilege Investigations

• The following list shows the basic steps for conducting an ACP case:

  • Ask the lawyer for a document authorizing you to launch the investigation. Your name and the names of any other associates assigned to the case must be listed along with a statement that the investigation is privileged communication.

  • Ask for a list of search terms relevant to the investigation.

  • Start the investigation and analysis once you have the document in hand. Any conclusions you came to prior to reading the memoranda are subject to investigation by the opposing lawyer.

  • Create two bit-stream images of the disk for drive inspections, each using a different tool.

  • Check the hash values of every file on the original and replica drives, or on the image file that represents them.

  • Examine the entire drive methodically, and then extract all the data.

  • Use both allocated and unallocated storage space to conduct keyword searches. Verify the results of the searches to see whether they yield any evidence to support the claim.

  • Use specialized software for Windows OSs, such as AccessData Registry Viewer or a Registry viewer program, to examine and extract data from the Registry.

  • Choose the right program and, if practical, print out the content of binary files, such as CAD drawings, and use it to open them.

  • Use a tool that substitutes or removes nonprintable data in order to recover unallocated data.

  • Place any information that has been recovered from the evidence bit-stream picture into orderly folders and subfolders.

• Here are some other guidelines to remember for ACP cases:

  • Reduce all written correspondence with the lawyer; whenever you have a query or need to give information about the case, call instead.

  • A header identifying the document as "Privileged Legal Communication—Confidential Work Product," as described under the attorney-work-product rule, must appear on all correspondence addressed to the attorney.

  • Help the lawyer and paralegal with the data analysis.

Industrial Espionage Investigations

• The following list includes staff you might need when planning an industrial espionage investigation.

  • The digital investigator in charge of conducting disk forensic investigations.

  • The expert in technology who is familiar with the allegedly hacked technical data.

  • The network expert who can run log analysis and install network monitors to catch suspects' suspected network communications

  • The threat assessment professional who is knowledgeable with federal and state rules and regulations relating to ITAR or EAR and industrial espionage (usually an attorney).

• Consider the following guidelines when initiating an international espionage investigation:

  • To assess whether this investigation is covered by ITAR or EAR, first determine whether there may have been an industrial espionage event.

  • If the investigations must be carried out in secret, speak with the corporation lawyers and upper management.

  • Identify the information required to support the claim of industrial espionage.

  • Create a list of keywords for network monitoring and disk forensics.

  • Resources needed for the inquiry should be listed and gathered.

  • Establish the purpose and parameters of the inquiry; discuss the workload with management and the legal counsel for the company.

  • After receiving management approval, begin the investigation. Report your findings and activities on a regular basis.

• The following are planning considerations for industrial espionage investigations:

  • Check any emails sent and received by alleged workers, including those from paid and free Web-based services.

  • Look for any posts about the incident in online forums or blogs.

  • Start conducting physical surveillance using cameras on targets that could be useful for the investigation.

  • Check all facility physical access logs for critical areas, such as secure zones that use smart badges or video surveillance recordings, if they are available.

  • Find the suspect's position in relation to the resource that was hacked if there is one.

  • Examine the suspect's work practices.

  • Gather all incoming and outgoing call records to check for any strange or special numbers that were dialed.

• When conducting an industrial espionage case, follow these basic steps:

  • Assemble all the team members involved in the investigation and give them a briefing on the strategy and any worries.

  • assemble the tools required to carry out the investigation.

  • Start the investigation by installing surveillance equipment at strategic areas, such as cameras and network monitors.

  • Make a bit-stream image of any further evidence you covertly collect, such as the suspect's computer drive, and save it for further inspection.

  • Gather all network and email server logs, then go through them looking for anything unusual that might be relevant to the investigation.

  • Inform management and company counsel on a frequent basis about the status and results of your investigation.

  • With management and corporate lawyers, go over the investigation's parameters to see if it needs to be expanded or given more resources.

Interviews and Interrogations in High-Tech Investigations

• Interview: Conducted to collect information from a witness or suspect about specific facts related to an investigation.

• Interrogation: The process of trying to get a suspect to confess to a specific incident or crime.

Understanding Data Recovery Workstations and Software

• Forensic Workstation: A computer loaded with additional bays and forensics software.

• Depending on your needs, a forensic workstation can use the following operating systems:

  • MS-DOS 6.22

  • Windows 95, 98, or Me

  • Windows NT 3.5 or 4.0

  • Windows 2000, XP, Vista, 7, 8, or 10

  • Linux

  • Mac OS X and macOS

Setting Up Your Workstation for Digital Forensics

With current digital forensics hardware and software, configuring a computer workstation or laptop as a forensic workstation is simple. All that’s required are the following:

• A workstation running Windows 7 or later

• A write-blocker device

• Digital forensics acquisition tool

• Digital forensics analysis tool

• A target drive to receive the source or suspect disk data

• Spare PATA and SATA ports

• USB ports

Additional useful items include the following:

• Network interface card (NIC)

• Extra USB ports

• FireWire 400/800 ports

• SCSI card

• Disk editor tool

• Text editor tool

• Graphics viewer program

• Other specialized viewing tools

Conducting an Investigation

• Start by gathering the resources you identified in your investigation plan. You need the following items:

  • Original storage media

  • Evidence custody form

  • Evidence container for the storage media, such as an evidence bag

  • Bit-stream imaging tool; in this case, FTK Imager Lite

  • Forensic workstation to copy and examine the evidence

  • Secure evidence locker, cabinet, or safe

Gathering the Evidence

• Make plans to meet with the IT manager to interview the offender and collect the storage devices.

• Fill out the proof form, get the IT manager to sign it, and then sign it yourself after the interview.

• Transport the storage media to your forensic facility after placing it in an evidence bag.

• Bring the evidence to a locked space, like a cabinet, safe, or locker.

• Fill out the custody of evidence form.

• Lock the container to protect the evidence.

Understanding Bit-stream Copies

• Bit-stream copy: A bit-by-bit copy or forensic copy of the original drive or storage medium and is an exact duplicate.

• Acquiring an Image: The process of retrieving an exact copy of the evidence from the suspected drive.

• Bit-stream image: The file containing the bit-stream copy of all data on a disk or disk partition.

Analyzing Your Digital Evidence

• Even when you know exactly what to look for in the evidence, data analysis can still take the longest.

• Searching for specific known data values is one way to find evidential artifacts.

• Unique words or non-printable characters, such as hexadecimal codes, can be used as data values.

Completing the Case

• Describe what you did and what you discovered in your report. The report that a forensics tool produces details the actions you made.

• Repeatable Findings: Repeating the steps that you took in any digital investigation producing the same results.

• Always record everything you do in a written journal. Be careful what you write or email, even to a colleague investigator, as your notes may be used in court.

• Report writing templates may be available from your company.

Critiquing the Case

• You should meet with your department or a group of other investigators to discuss the case after you close it and write your final report so that you can make improvements to your work.

• Ask yourself assessment questions such as the following:

  • How could you perform better in this situation?

  • Did you anticipate the outcomes you got? Has the case taken a turn that you didn't anticipate?

  • Was the documentation complete to the best of its ability?

  • What kind of response did the asking source provide?

  • Have you come across any fresh issues? What are they if so?

  • Did you employ novel tactics when researching the case?