One World Finance (OWF) is a specialist provider of high quality, consumer finance services to a global network of customers. Trading in Australia and New Zealand since 1990, the company employs more than 750 employees and the company serves more than 5 million customers. The company’s main office is situated in Brisbane with other branch offices located in Sydney and Melbourne.
OWF has invested heavily in information technology for supporting its global business operations and achieving competitive advantages over its competitors. Major investments were made by the company in 2001 but management has lost focus in updating the networks and application infrastructure that supports the business operation in recent years. The network environment between all of OWF offices is flat and relatively unrestricted. Users from one office can access systems and servers from another office. Workstations and servers are typically Microsoft Windows-based. Firewalls and network segmentation are implemented poorly throughout the environment. Intrusion detection and logging exist on systems but they are not effectively used.
Last night, John Marsh at the Sydney office went in to work early and when he got connected to his computer, he found that someone was already connected to his computer with several windows opened. As he stared at it, his computer system got disconnected. He then tried to get connected again, but he was logged out. He called the IT manager, who followed a plan for such incidents. This includes disabling John's account and examining the server security logs. The IT manager found that the IP address of the computer that was connected to John's computer belongs to a computer used to run a data projector at the Melbourne office. He quickly rang the Melbourne office to check who has used the computer and requested the logs of people who have swiped into the building. He found out that there were five people in the building at the time, but one employee, Andrew Gale has since swiped out and called in sick. An urgent meeting with the management concludes that Andrew Gale has at least violated company policy by accessing a colleague's account, but is unsure if he has violated any other policy or engaged in any criminal activity. As an information security officer, you are asked by the management to investigate to find out the extent of Andrew's activities, if others are involved, who is affected and whether criminal charges need to be laid.
Your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Windows based, this plan should detail following:
· justify why use of the digital forensic methodology and approach is warranted including appropriate procedures for corporate investigation.
· describe the resources required to conduct a digital forensic investigation, including skill sets and required tools of the team members.
· outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence.
· outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a Microsoft Windows-based computer.
· make a recommendation on the action that the company needs to take against the offender.