Digital Forensics Investigative Plan For Windows-Based Systems

Question:

As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Windows based, this plan should detail following: 

1. Justify why use of the digital forensic methodology and approach is warranted including procedures for corporate investigation.

2. Describe the resources required to conduct a digital forensic investigation, including team member skill sets and required tools.

3. Outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence.

4. Outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a Microsoft Windows-based computer.

5.  Create a table of contents for the investigative plan describing what the primary focus of the report would be.

Cyber crime is increasingly spreading with the same pace of the advancement of the information technology. Securing the existing data has become equally important as developing the new software technologies in the industry. The case study is done to conduct the digital forensic investigation on an existing company, Global Finance, which has been wide spread its services throughout the world and enabled network among them through the information technology. However, security standards are not set and followed, through there is enough technology and expertise available. Digital forensic investigation is applied to investigate the compromise that was suspected in one of its branch offices of the company. 

Computer technology and information technology has become an integral part of the human life and business life in the present world. The technology and usage are growing proportionally, unfortunately the cyber crimes are growing with the same pace. Computer crimes and cyber crimes, such as unauthorized access, intrusion, financial fraud, intellectual theft and identity theft have been the part of the cyber world. Computer digital forensics do play vital role to counteract these computer and cyber related crimes. “Computer Forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or administrative cases (Nelson, B., et al., 2008)”. The present case study involves the digital forensic investigation in the Global Finance branch office, Queensland in Australia, regarding a compromise suspected in a manager’s computer in the same branch. Information security officer from the head office has enforced the audit team to conduct the investigation and submit the report with all the digital forensic evidences.  

Global Finance is an investment company having 10,000 employees working in its branch offices, all over the world. The company has wider range of interests like investment, superannuation and retirement. The company has wider range of clients, right from an individual to larger corporate and superannuation fund investors. Company has investment management expertise in property, global shares, credit, private equity and infrastructure. Global business of the company has been facilitated to forward its vision, using the information technology. Though investments were made in the year 2000, focus is lost in updating the network and application infrastructure to support all the operations. The network environment among all the child organizations is flat and unrestricted. So, users from one child organization can access the servers of the other child organization without any authorization. All the servers and workstations are Microsoft-Windows based systems. There is a poor implementation of the network segmentation and firewalls. Logging and intrusion detection do exist, but hardly implemented and used.

Description of the Case Study

The concern has been initiated from the manager from the Brisbane branch, who has contacted the information security office in the head office. The concern of the manager is that his computer is suspected to be compromised by someone.

Since information security office is accountable for any kind of compromise or breach of the information in the head office and child organizations, the suspicion is taken by them seriously. A team of auditors is formed to investigate the suspicion.

The audit team has been assigned the tasks of reviewed paper based company documents and undertakes digital forensic analysis of the computers at the regional office. So, digital evidences are to be collected from the relevant desktop PCs and email accounts. The necessary files to be collected and examined are MS- Word documents, spreadsheets, Outlook and deleted files.

The information security office prefers digital forensic methodology for investigation, as it includes all its sub branches, like computer forensic, mobile device forensic and network forensics. In the Global Finance regional branch computer forensic, network forensic along with the data recovery must be done towards completion of the investment.

The scopes of digital forensic investigation conducted in the regional office are,

• Identifying the malicious activities, in detail with 5Ws or When, Who, Where, Why and What
• Identifying possible security lapse in the office network
• Finding out the compromised manager’s computer and the network system’s impact
• Identifying the necessary legal procedures, when applicable
• Providing remedial future actions to secure this regional office and then the rest of the child organizations of Global Finance

“Computer Forensics is a new field and there is less standardization and consistency across the courts and industry” (US-CERT, 2012).

For Global Finance company, the digital forensic approach to be followed is a three stage process.

• Acquisition / Imaging of exhibits
• Analysis
• Reporting

The audit team must have the necessary methodologies like static and dynamic methodologies. The tools that are useful for digital forensic investigation in the Global Finance are, EnCase and ProDiscover to check the network system in the regional office.

Since the investigation in the Global Finance company is a private digital forensic investigation, the audit team must abide the following four principles.

Principle 1: Data collected from all the sources of targeted computers should not be changed or altered, as the original has to be preserved for the submission of the report.

Principle 2: The audit team must be enough competent to handle the original data collected safely and every course of action must be supported by the explanation with the evidence.

Principle 3: An audit trail as well as the other documentation involved during the process must be created and well preserved. The same results are expected to be achieved if the same process is executed, by others.

Principle 4: The entire team is responsible and accountable for the digital forensic investigation conducted in the Global Finance company.  

The audit must acquaint all necessary and deeper expertise in the operating system, kernel system and network system of how these work at the core level.

1. Gather all the available information from the manager’s and other workstations and servers
2. Identify the impact of the investigation to the Global Finance Company in terms of downtime, etc.
3. Obtain network information
4. Identify external storage devices
5. Identify all forensic tools applicable for the infrastructure in the regional office
6. Documentation of each and every activity during the investigation
7. Capture the network traffic, live
8. Imaging the target computers and then hash for integrity of data

Identification of the digital evidences from the manager’s computer, which is the targeted computer is done by collection of the following evidences.

1. System Log files

2. IP addressesNetwork information like routers, hub, switches network topology documentation, servers, workstations, network diagrams and firewalls

3. Information from the external storage devices, CD, DVD, flash drive, pen drive, portable hard disc, remote computers and memory card 

Scope of Digital Forensic Investigation

For the Windows based servers and workstations present in the Global Finance regional branch, acquisition approach goes in two steps.

The primary volatile memory here is the RAM, from which exact sector level duplicate, which is also called as forensic duplicate has to be created. The memory accessed from the manager’s computer and other computers should not be modified for the reasons of reporting, so write blocking device is used to preserve the original. Newer technologies and tools enable the team to use live acquisitions so that the logical copy of the digital volatile data evidence can be obtained. The logical copy and the original content are compared or hashed with the use of SHA-1 or MD5 algorithms, so that the values are compared for the accuracy of the copy.

Manager’s computer must be accessed through the LAN.

Use the following command

cryptcat 6543 –k key

then acquire target computer data with the command,

cryptcat -1 –p 6543 –k key >>

Additionally, graphic user interface tools, Rootkit Revealer, Process Explorer and Tcpview are used to retrieve system data, time, running processes, logged user, open ports and network connections.

Other tools that are Windows based for volatile data capture are,

HBGra’s F-Response, ipconfig, doskey, netfile, netusers and qusers, HBGray’s FastDump, so that all the network traffic towards the manager’s computer can be identified.

Then clipboard content is collected.

Non- volatile memory or permanent memory is also acquired for digital forensic evidence. The data present in the hard drive of the manager’s workstation, other workstations and server are collected through imaging or hard drive duplicator tools, like Guymager, FTK imager, DCFLdd, EnCase, IXimager, etc.

Offline data is collected through forensic imaging and online data is collected Wireshark and ethereal tools to collect information like antivirus logs, firewall logs, domain controller logs related to the manager’s computer. 

After all the potential data is identified and collected, examination is conducted on the Windows registry, file system, network forensic examination and database forensic examination.

The following commands are used for file system examination here in the manager’s computer

C:echo text_mess > file1.txt:file2.txt

And retrieve the file with c:more <file1.txt:file2.txt

For Windows registry examination, the hives of the structure are to be examined,

• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE
• HKEY_USERS
• HKEY_CURRENT_CONFIG

Network forensic is done through the tools and techniques to access the potential information from the manager’s computer.

• Service listings
• Process listings
• System information
• Registered and Logged on users
• Registry information
• Binary dump of memory
• Network connections

Network forensic tools that are used here are, TCPDumpWindump, NetStumbler, Wireshark, Argus, Sleuth Kit.

The audit team can use many of the methodologies and tools to recover the evidence material and analyze.

The team does analysis of the workstations and servers as the following.

1. Keyword searches in the existing files, like MS-Word, Spreadsheet, Outlook files and also with the slack space and unallocated space.

2. Recovery of the deleted files, if any

3. Extracting the registry information for the manager’s workstation and other workstations along with the server. The registry information also has to be collected from the USB devices and user accounts.

For the recovery from the workstations and server, specialist tools  FTK, EnCase and ILOOKIX are used. Auditors team can use these tools to recover the chat logs, internet documents, internet history, emails, images, cache files of OS, accessible as well as deleted space from the manager’s computer. Hash signature forensic tool is used to find notable files from the manager’s computer. When SSD drives are used, the data can be accessed even after secure erase operations.

After the analysis is completed, actions and events are reconstructed to reveal, how the compromise is initiated and who has done this, either within the regional office or from the other child organizations of the company. So, after the analysis and audit, the audit team comes up with the answers for the following objectives.

• Accountability of the administrators and users in the regional office
• Opportunities to reconstruct the events
• Detection of the attempts violation of the security of information
• Providing information of identification and analysis of the problems

After a detailed acquisition and analysis of the digital forensic evidences are done, finally the report is generated by the audit team, in the form of a written report. The report contains the following lay man terms and language.

Final Report

Purpose of the Report	The report contains the purpose of digital forensic investigation of the Global Finance Company to find the source and reason of the compromise happened to the manager’s computer, present in its regional office.
Author of the Report	The audit team
Incident Summary	The sources and reasons of the compromise of the manager’s computer are from the a, b, c reasons.
Evidences	All the files, log data, registry data and malware investigation data as digital evidences
Analysis	All the potential digital evidences, like Word, Spreadsheet, Outlook and emails are analyzed
Conclusion	All the servers and workstations including the manager’s workstations in the regional office are thoroughly investigated for the digital evidences and its sources are found
Documents to Support	Documents  to support are, Volatile data, non- volatile data, log info, tool generating info and registry info and so on.

Conclusion

The compromise caused in the regional branch of the Global Finance is investigated through the Digital Forensic Investigation and the report is being submitted.

References

1. “Cyber Forensic Investigation Plan”, International Journal of Advance Research (2008), UOAR.org, Volume 1, Issue 1, accessed on 9 January, 2015,.

2. Siti Rahayu Selamat, Robiah Yusof, Shahrin Sahib (2008), “Mapping Process of Digital Forensic Investigation Framework”, JCSNS International Journal of Computer Science and Network Securit, Vol 8.

3. Kenneth J. Zahn (2013), “Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise”, GIAC (FREM) Gold Certification

4. John Ashcroft (2001), “Electronic Crime Scene Investigation, A guide for First Responders”, NIJ Guide

5. M Reith, C Carr, G Gunsch (2002). "An examination of digital forensic models". International Journal of Digital Evidence

6. Richard Brian Adams (2012), “The Advanced Data Acquisition Model (ADAM): A Process Model for Digital Forensic Practice”

7. Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). “Systematic Digital Forensic Investigation Model”, International Journal of Computer Science and Security, 5(1), 118-130.

8. Armstrong, C. (2003), “Mastering Computer Forensics. In C. Irvine & H. Armstrong”, Security Education and Critical Infrastructures Kluwer Academic Publishers.

9. Aquilina, M.J., (2003), “Malware Forensics, Investigating and Analyzing Malicious Code”, Syngress,

10 Carvey, H., (2005), “Windows Forensics and Incident Recovery”, Boston: Pearson Education Inc.