The Investigative Cycle

The Investigative Cycle

The Investigative Cycle forms the basis for most of our courses. In every course, the attendee will identify sources for evidence, develop a plan for evidence collection, identify key findings in the evidence, apply industry standard methods to draw conclusions from analysis, and consolidate evidence, summaries, analysis, and conclusions in a concise format.

This course contains lessons for each element of the investigative cycle in a Business Email Compromise Investigation. The purpose of this course is to inform attendees about business email compromise, how to prevent it, and how to investigate it.

Identify: Identify sources of evidence for an email compromise investigations. This section includes lessons on defining the scope of the investigation including what will be needed determine whether the perpetrator is a malicious insider or an external actor.

Collect: Develop a plan for collecting evidence in an email compromise investigation. This section includes lessons on ethical procedures for gathering digital evidence and offers considerations for alternative sources of evidence.

Synthesize: Identify key findings in the collected evidence and summarize. This section includes lessons on common requirements for summaries for specific audiences: business leadership, general or outside counsel, insurance claimants, or law enforcement.

Analyze: Apply industry standard methods and draw conclusions from the analysis. This section includes lessons on digital evidence gathering and provides guidelines on avoiding inappropriate assumptions from digital forensics analysis.

Report: Consolidate the evidence, summaries, analysis, and conclusions in a concise format for a specific audience. This section includes lessons on an appropriate report structure and sections to maintain readability and admissibility.