Post 6: Network Forensics Investigation Methodology (OSCAR)

January 8, 2019 at | In Network Forensics | No Comments

In order to get better results when investigating, it is important for investigators to do the investigation process based on the methodology framework. There are two types of methodologies that forensics investigators can use to guide them through their investigation. In this post, I am going to explain the first methodology, which is OSCAR.

OSCAR consists of:

  1. Obtain information
  2. Strategize
  3. Collect evidence
  4. Analyze
  5. Report

I am going to explain each of these processes.

Obtain information

In this process, investigators gets information about the incident and the environment where the incident takes place. For the incident. investigators needs to know the descriptions and the time of the incident, people involved in the incident, data and systems involved, and legal issues. For the network, investigators needs to know the network topology, the organization structure where the incident takes place, and the available resources.

Strategize

After getting the information needed to investigate, the investigators need to work together with other investigators to discuss about the case. They also need to prioritize the source of evidence. The example of evidence prioritization is shown below.

 

Collect Evidence

Investigators decided on a plan based on the evidence obtained. Then, they should arrange all the gathered evidence based on the order. Investigators need to document their evidence, which can be useful in the future when they need it. It is also important for investigators to capture the evidence, for example by saving the network traffic in a pcap file format or take screenshots of the network traffic. And lastly, investigators also need to store the collected evidences in a safe place, and make sure that the people having access to it is trustable,

Analyze

In the analyze process, investigators needs to show correlation with multiple source of evidence, arrange the evidences based on the timeline, and make educated interpretations of evidence that leads to further investigations. In this process, it is important for investigators to separate interpretations from the facts.

Report

After investigators have finished with their investigations, they are required to make a report based on their findings. The report should be understandable to the people who do not understand technical terms, complete, defensible, and factual.

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^