To execute without being tampered, a process and protocol need to be followed. Involves police investigative bodies and special prosecution for cyber crime that conduct investigation based on law on criminal procedure, law on combating cyber crime, law on electronic communication, law on protection of information and information systems, law on digital evidence, law on electronic signature and law on electronic commerce. General process of official digital forensic investigation, based on “step-by-step” model entails four phases: initial investigation, tracking the perpetrator, discovering identity of the perpetrator and arrest. In true cases of cyber crime, at the stage of preliminary investigation and search, investigative bodies collect evidence of reasonable doubt and put in a claim against the suspect who can also be unknown individual. Based on police findings, the prosecutor provides a warrant for investigation from investigative judge and initiates official investigation. Based on a valid court order, suspicious computer or communication system can be temporary confiscated; that is, physical image of the hard disk or memory content of IT system and devices for forensic acquisition and data analysis can be taken.
Standard procedure of corporate forensic investigation contains several phases that involve team work of corporate investigative bodies and official IT experts of the corporation
1. Testing suspect and witnesses.
2. Preparing bodies for investigation (locating compromised computer).
3. Inquiring resources of the suspect.
4. Checking the log file records and other information on the suspect.
5. Complete marking and sorting of indirect evidence with detailed notes on the content and space for the signature of the person who takes over the evidence material.
6. Protecting memorized data with evidence from any alterations.
7. Ensuring time interval of evidence as solid proof.
8. Utilizing forensic tools to verify events as criminal act.
9. Control check-up of the flow of each phase of the investigation.
10. Collecting, analyzing and preparing evidence for the trial.
11. Developing a detailed report on the investigation, documentation and provision of suggestions for further proceedings.
12. Deciding on the organizational level to: cancel, continue in the organization or submit the case to competent authorities.