As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Windows based, this plan should detail following:
1. Justify why use of the digital forensic methodology and approach is warranted including procedures for corporate investigation.
Cyber crime is increasingly spreading with the same pace of the advancement of the information technology. Securing the existing data has become equally important as developing the new software technologies in the industry. The case study is done to conduct the digital forensic investigation on an existing company, Global Finance, which has been wide spread its services throughout the world and enabled network among them through the information technology. However, security standards are not set and followed, through there is enough technology and expertise available. Digital forensic investigation is applied to investigate the compromise that was suspected in one of its branch offices of the company.
Computer technology and information technology has become an integral part of the human life and business life in the present world. The technology and usage are growing proportionally, unfortunately the cyber crimes are growing with the same pace. Computer crimes and cyber crimes, such as unauthorized access, intrusion, financial fraud, intellectual theft and identity theft have been the part of the cyber world. Computer digital forensics do play vital role to counteract these computer and cyber related crimes. “Computer Forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or administrative cases (Nelson, B., et al., 2008)”. The present case study involves the digital forensic investigation in the Global Finance branch office, Queensland in Australia, regarding a compromise suspected in a manager’s computer in the same branch. Information security officer from the head office has enforced the audit team to conduct the investigation and submit the report with all the digital forensic evidences.
Global Finance is an investment company having 10,000 employees working in its branch offices, all over the world. The company has wider range of interests like investment, superannuation and retirement. The company has wider range of clients, right from an individual to larger corporate and superannuation fund investors. Company has investment management expertise in property, global shares, credit, private equity and infrastructure. Global business of the company has been facilitated to forward its vision, using the information technology. Though investments were made in the year 2000, focus is lost in updating the network and application infrastructure to support all the operations. The network environment among all the child organizations is flat and unrestricted. So, users from one child organization can access the servers of the other child organization without any authorization. All the servers and workstations are Microsoft-Windows based systems. There is a poor implementation of the network segmentation and firewalls. Logging and intrusion detection do exist, but hardly implemented and used.
The concern has been initiated from the manager from the Brisbane branch, who has contacted the information security office in the head office. The concern of the manager is that his computer is suspected to be compromised by someone.
Since information security office is accountable for any kind of compromise or breach of the information in the head office and child organizations, the suspicion is taken by them seriously. A team of auditors is formed to investigate the suspicion.
The audit team has been assigned the tasks of reviewed paper based company documents and undertakes digital forensic analysis of the computers at the regional office. So, digital evidences are to be collected from the relevant desktop PCs and email accounts. The necessary files to be collected and examined are MS- Word documents, spreadsheets, Outlook and deleted files.
The information security office prefers digital forensic methodology for investigation, as it includes all its sub branches, like computer forensic, mobile device forensic and network forensics. In the Global Finance regional branch computer forensic, network forensic along with the data recovery must be done towards completion of the investment.
The scopes of digital forensic investigation conducted in the regional office are,
“Computer Forensics is a new field and there is less standardization and consistency across the courts and industry” (US-CERT, 2012).
For Global Finance company, the digital forensic approach to be followed is a three stage process.
The audit team must have the necessary methodologies like static and dynamic methodologies. The tools that are useful for digital forensic investigation in the Global Finance are, EnCase and ProDiscover to check the network system in the regional office.
Since the investigation in the Global Finance company is a private digital forensic investigation, the audit team must abide the following four principles.
Principle 1: Data collected from all the sources of targeted computers should not be changed or altered, as the original has to be preserved for the submission of the report.
Principle 2: The audit team must be enough competent to handle the original data collected safely and every course of action must be supported by the explanation with the evidence.
Principle 3: An audit trail as well as the other documentation involved during the process must be created and well preserved. The same results are expected to be achieved if the same process is executed, by others.
Principle 4: The entire team is responsible and accountable for the digital forensic investigation conducted in the Global Finance company.
The audit must acquaint all necessary and deeper expertise in the operating system, kernel system and network system of how these work at the core level.
Identification of the digital evidences from the manager’s computer, which is the targeted computer is done by collection of the following evidences.
For the Windows based servers and workstations present in the Global Finance regional branch, acquisition approach goes in two steps.
The primary volatile memory here is the RAM, from which exact sector level duplicate, which is also called as forensic duplicate has to be created. The memory accessed from the manager’s computer and other computers should not be modified for the reasons of reporting, so write blocking device is used to preserve the original. Newer technologies and tools enable the team to use live acquisitions so that the logical copy of the digital volatile data evidence can be obtained. The logical copy and the original content are compared or hashed with the use of SHA-1 or MD5 algorithms, so that the values are compared for the accuracy of the copy.
Manager’s computer must be accessed through the LAN.
Use the following command
cryptcat 6543 –k key
then acquire target computer data with the command,
cryptcat -1 –p 6543 –k key >>
Additionally, graphic user interface tools, Rootkit Revealer, Process Explorer and Tcpview are used to retrieve system data, time, running processes, logged user, open ports and network connections.
Other tools that are Windows based for volatile data capture are,
HBGra’s F-Response, ipconfig, doskey, netfile, netusers and qusers, HBGray’s FastDump, so that all the network traffic towards the manager’s computer can be identified.
Then clipboard content is collected.
Non- volatile memory or permanent memory is also acquired for digital forensic evidence. The data present in the hard drive of the manager’s workstation, other workstations and server are collected through imaging or hard drive duplicator tools, like Guymager, FTK imager, DCFLdd, EnCase, IXimager, etc.
Offline data is collected through forensic imaging and online data is collected Wireshark and ethereal tools to collect information like antivirus logs, firewall logs, domain controller logs related to the manager’s computer.
After all the potential data is identified and collected, examination is conducted on the Windows registry, file system, network forensic examination and database forensic examination.
The following commands are used for file system examination here in the manager’s computer
C:echo text_mess > file1.txt:file2.txt
And retrieve the file with c:more <file1.txt:file2.txt
For Windows registry examination, the hives of the structure are to be examined,
Network forensic is done through the tools and techniques to access the potential information from the manager’s computer.
Network forensic tools that are used here are, TCPDumpWindump, NetStumbler, Wireshark, Argus, Sleuth Kit.
The audit team can use many of the methodologies and tools to recover the evidence material and analyze.
The team does analysis of the workstations and servers as the following.
For the recovery from the workstations and server, specialist tools FTK, EnCase and ILOOKIX are used. Auditors team can use these tools to recover the chat logs, internet documents, internet history, emails, images, cache files of OS, accessible as well as deleted space from the manager’s computer. Hash signature forensic tool is used to find notable files from the manager’s computer. When SSD drives are used, the data can be accessed even after secure erase operations.
After the analysis is completed, actions and events are reconstructed to reveal, how the compromise is initiated and who has done this, either within the regional office or from the other child organizations of the company. So, after the analysis and audit, the audit team comes up with the answers for the following objectives.
After a detailed acquisition and analysis of the digital forensic evidences are done, finally the report is generated by the audit team, in the form of a written report. The report contains the following lay man terms and language.
Purpose of the Report
The report contains the purpose of digital forensic investigation of the Global Finance Company to find the source and reason of the compromise happened to the manager’s computer, present in its regional office.
Author of the Report
The audit team
The sources and reasons of the compromise of the manager’s computer are from the a, b, c reasons.
All the files, log data, registry data and malware investigation data as digital evidences
All the potential digital evidences, like Word, Spreadsheet, Outlook and emails are analyzed
All the servers and workstations including the manager’s workstations in the regional office are thoroughly investigated for the digital evidences and its sources are found
Documents to Support
Documents to support are, Volatile data, non- volatile data, log info, tool generating info and registry info and so on.
The compromise caused in the regional branch of the Global Finance is investigated through the Digital Forensic Investigation and the report is being submitted.
For years now, MyAssignmenthelp.com is providing affordable essay help to millions of students worldwide. Our essay assistance services have helped us in assisting students with even the toughest essay assignments. We take pride in the fact that we cater the best assistance to search terms like help me with my essay. We offer affordable services in the fastest way possible. For our fast delivering services, students trust us with their urgent essay assignment needs. Two of our most popular essay writing services are maths essay help and English essay help.
Introduction Banks act as a financial intermediary involved in borrowing and lending activities. It accepts deposits and savings from various entities such as genera...Read More
Brief About Wilmer International Limited The company was incorporated in 1991. It is recognized as Asia’s top aqribusiness group. The company has very h...Read More
Capital market is the stock value and stocks as a rule and what influences the stock cost and not of the item that is for the most part needed by the ...Read More
Introduction A company has a wide range of sources to finance different activities in the business. Company can choose from various sources of finance depe...Read More
Answer 1: Calculation of project IRR: Initial Cash Flow: $3,000,000.00 Discounted Net Cash Flows at 19% Year Cash F...Read More