Welcome back to the computer forensics path, Course 5, The Investigative Process. Throughout this course, we're going to cover the investigative process. We're going to talk about Locard's principle of exchange, we're going to discuss the scientific method, and we're going to talk about big data and some of the concerns and issues we face with that. Course 5, module 1, we're going to talk about Locard's principle in the scientific method. Locard's principle of exchange deals with the cross-transference of evidence. What they're talking about is when one object comes in contact with a second object, traces of both objects are left on each other. Picture a car accident, where one car bumps into another car and scrapes of paint are left on the other car from the first car. So they both had an exchange of paint as they collide. Locard's principle says that every object that connects with another object, makes contact with another object, leaves a trace. As digital forensic investigators, we're talking about computers. Whenever you do something with a computer, it does leave a trace behind. These traces will help us link suspects to a particular crime, victims to a place, person, or evidence. The scientific method consists of stages. The first stage in the scientific method is observation. We want to look and see what type of evidence we can obtain from the crime scene. From there we're going to develop a hypothesis based on what we've observed. After we have our hypothesis, we're going to test it and see if it works, like a proof of concept. Once we've done that, we're going to verify if it is true, and once we verify our hypothesis, we're going to make a conclusion. If our conclusions don't call true, then we have to form a new hypothesis. This is cyclical in nature. Usually once we make some observations, we develop a hypothesis, we test it, we come to a conclusion. From there, we're going to find more evidence and we're going to start over and make another observation, develop a new hypothesis, and continue to test that one. This is a visual representation of the scientific process. You can see over here on the far left-hand side of the screen, we will start with our observation. Once we make our observation, we'll think of a question. Once we have that, we will formulate a hypothesis, and then we will test it. Once we test it, we'll make a theory, come up with some type of theory from our tests, and from there we'll go ahead and make some more observations and continue to go round and round. The forensic cycle, it includes the creation of policy and procedures. You should all have written policy and procedures regarding digital evidence, how it's collected, how you do your intake, how it is handled, stored. You also want to obtain initial information. So once we've done this, we're going to find out what type of case are we looking at? What type of evidence would we expect to find, and where would we expect to find that evidence within the file system? Then we're going to provide an investigation. We're going to document, you're going to document the site, the conditions, and your observations, you have examination and reporting, and you'll have quality control and peer review, where your findings are reviewed by another examiner to see if they hold true, and then the last step we'll have testimony and final disposition. This is where we would bring our evidence into court, or into a hearing, or some type of formal procedure and testify regarding our findings. You should have procedures for digital evidence examination. You should maintain, keep these procedures up-to-date with current standards in the field, and you should follow these written procedures. You should have work practices to prevent your contamination of evidence. You need to monitor your procedures using controls and standards, and you need to test and validate these procedures. We'll talk more about this throughout the path. We're going to validate our tools and software. We're going to do this before we use them on evidence. We want to make sure all our tools are working properly. We want to preserve the evidence. We want to make no changes to the evidence. We want to document every access to the original evidence. This is called the chain of custody, and we'll talk more about that as we go through this path. But every time somebody touches the original evidence, you need to document that. You want to work from a copy of the evidence. You never work on the original, you always work from a copy. You do want to document the chain of custody. Then you want to have your reporting and documentation process. Witnesses. There are different types of witnesses. But basically, a witness is defined as a person who provides testimony under oath and is subject to perjury. A witness is going to have a connection with the incident. He's going to have information about the incident. Either he was there, he has some first-hand information, he knows somebody who was there, so a witness who has some connection to the crime. An expert witness, on the other hand, probably doesn't not have direct connection to the crime or the incident we are investigating. He or she is an expert in their field, and they are usually paid to testify. In our next module, we're going to discuss big data and the challenges that we have when examining big data.
