Digital Forensic Investigation For Information Security Department Essay.

Digital Forensics Methodologies

Describe about the Digital Forensic Investigation for Information Security Department.

ABC University is a top university in the United States with more than 25,000 students, Ten University campuses in five diverse States, with more than Five-hundred staff members, along with providing over Two-hundred University qualifications. This University promotes the adaptable study and permits its staff members and students to BYOD (bring their own devices) to the University campus as well as to connect such devices to the University networks. However, this connection causes some issues for the Information Security department of the University. They received various complaints from students of all other campuses and some students claim that they received a spammed email in which they were invited to pay for their assignments whichwere completed by some ‘quality’ writers. One more issues also arise when staff member views unsuitable images as well as videos at the workplace both Mac desktop and at teacher’s own PC. An information security department of University takes both incidents very seriously. However, the University’s IT department has a team of Information Technology experts and they believe that their experts are not capable of performing a complete scale digital forensic investigation. The University is completely nervous to guarantee that the important information of student is not compromised and now they want to follow the proper process to investigate such issues. To stop such types of issues,  Digital Forensic Examination or Investigation Plan is thoroughly conducted in the University’s premise. In this study, the concerns or issues about data security are completely investigated. The proper digital forensic approach is use in the investigation process ofUniversity’s issues. Different type of assets required for this digital forensic examination is also discussed in this study. The data or evidence is also recognized in this procedure. The various helpful recommendations are also discussed in this report, which University must follow. 

Digital Forensic Investigation method needed to appropriately analyze the size and defend what happen with the University. The noteworthy data which deal with the both issues arises in the University is investigate through Digital Forensics Methodology (DFI). DFI is an Eight Step Methodology. DFI is very helpful in the examination to stay on the right track and provides the suitable demonstration of the evidence or data for the safety of the issues arise in the University. In addition, it is the proper practice for accomplishing the responsible learning of forensic values, processes, techniques as well as tools.

Digital Forensic Investigation (DFI) steps are:

Verification: DFI is a leading activity for the response against the incident scenario. In the first step issues occurred in the University are properly checked. By distinguishing the extension and expansion of the issues they are surely accessed. The nature of the issues, situations where issues occurred and limitations of the issues are also determined in this step. This first step is vital because issue is control by this progression. It is the best way to deal with perceiving, distinguish, gather and protect the proof (Baek and Lee, 2013). The Information Technology Management of the University feels that the innovation use in the University is not powerful. This is only because the foundation for the system application hasn't been redesigned. The approach to get the data is unhidden, which makes it possible for everybody to gather the data. In this way, it is an essential to check the occurrences known as the scientific assessment (Ayers, 2009). 

Digital Forensic Investigation (DFI) steps

Description of the Framework: System portrayal takes over the means where the information has assembled about this particular occurrence. The examination must begin with portraying the framework that is going to break down and taking notes. Part of the framework of the system and University, where is the framework gained is likewise dictated by this progression. It breaks down the working framework, the general arrangement of the circle of the framework and area of confirmation with extent of  RAM. The framework took after by the Global fund had unlimited use, wherein the data could be effectively gotten to by various divisions. Other than this, the workstations and servers which  an organization used were not legitimately kept up. This had expanded the danger of the interruption discovery that expanded the danger for the clients. In this way, it was vital for distinguishing the framework organization used. In this procedure, it was important to gather the fundamental data that was intend used for deciding the part of the framework (Casey, 2004). 

Acquisition of Evidence: Reorganization of conceivable wellsprings of information, unpredictable and non-unstable information, guarantee the care chain and check the information that is coördinate all done in this progression. On the off-chance that there is disarray about what ought to gather that will be erring on the side of caution, it is greatly improved to gather a real volume of information. While playing out this progression, it is likewise essential to offer need to the proof gathering and the proprietors of the business of deciding the effect and execution of the picked approach. As the unstable, information changed over the time, so the request of the information gathering is likewise essential (Casey, 2015). The unpredictable information ought to gather in login sessions, open records, contains RAM and so forth. At the point when this unpredictable information is gather then, the following stride is performs to gather non-unstable information like the hard drive. Subsequent to gathering every one of the information, the uprightness of the information is surely checked. It additionally  depict the method for finding the proof, how it handled and everything that occurred with the University.

Examination of the Timeline: After gathering the information, the proof which is gotten therefore investigation and examination of that information in the criminological lab must finish. This ought to finish by doing a planning investigation. This progression is exceptionally helpful as it includes the data like the Change of the Document, entrée of the documents and makes it within a human readable formatting and so on (Chaurasia, 2015). The information is gather with different sorts of devices and it removes from the Meta layer of the record framework and after that, it will  sorted for investigating the information. Timelines of various memory factors are likewise very helpful for remaking the issues arisen.

Digital Forensic Plan to accomplish digital forensic methodology

Media Analysis and Artifact: This step includes, measures of data must overwhelm or overpower with the data. Executed Programs, Downloaded Documents, Clicked on Files as well as Opened Directories are all additionally observed with help of media analysis step. Memory investigation is the other essential examination step of analyzing the systematic association, rebel forms, confirmation of code, client handles, and many other tasks. One should ready for the counter-forensic methods like stenography and data alteration that will adversely affect the examination, analysis, and conclusion (Cohen, 2008).

String Search and Byte: This progression incorporates use of the apparatuses that will support for seeking the pictures of the low-level. If fundamental issues are realized in the activity, then this step is used to find the issue. This progression uses the instruments and ways that will scan for byte marks are named as enchantment cookies. The byte and string signature, which is being  applies to the University’s issues.

Recovery of the Data: In this progression, the recuperations of information from the document framework should possible. The devices which used as a part of this progression are exceptionally valuable for breaking down the  layer of metadata, document framework, and the information layer. Breaking down the allocated space is also a part of the recovery of data step for finding the documents of interest (Dudley-Gough, 2006).

Reporting of the Results: The last step must join the aftereffects of the further done investigation that join the portrayal of the executed activities, reorganization of alternate executed activities, and the suggestion for the change of policy, method, guidelines, instruments and other part of the forensic investigation procedure for the issues faced by the University (Vaughan, 2004).

The major expert Digital Forensic arrangement or plan can be done to overcome the issue faced by the Univeristy. By utilizing digital forensic plan in a suitable manner the above-mentioned concerns can be easily overcome. Different sorts of incidents can be easily and more effectively handled when the digital forensic processes are incorporated into the life cycle of an information framework. The examination of the issue which University faces solved in an appropriate manner by utilizing some steps of digital forensic planning such as accumulation of data, Investigation of data, Analytic Thinking of data as well as Reporting the outcomes of the examination.

While gathering the data related to University both concerned issues are initially distinguished, named, recorded and after that gathered, ensure that the quality of the information or data still remains as before (Erickson, 2014).

Resources needed to conduct Digital Forensic Investigation

In next step, the investigations of the different forensic techniques as well as tools which are relevant with the sorts of data gathered must be implemented to recognize and destroy the data which is not relevant. The data when gathered its integrity or quality must be secured. This procedure includes the usage of the mixture of procedures and tools.

Third step which is investigation involves the investigation of the outcome of the questioning to mention the useful data, that focus to the inquiries that are emerging for performing collection as well as investigation of the data.

Finally, planning is done, which involves the outcomes of the investigation step that can also include the depiction of the activity performed, regulate the other activities that are needed to be executed, recommended for enhancing the policy, processes, tools as well as other aspects (Hitchcock, Le-Khac and Scanlon, 2016).

Tools needed for conducting Digital Forensic Investigation at the University: The required tools for the digital forensic investigation to solve the issues faced by the University are Tool added to the LINUX Kernel in 2.4 along with the odd number of the sector’s drive as well as it must include the end sector of the 512 bytes.

Graphical User Interface (GUI) tools are:

• Rootkit Revealer
• Tcpview
• Procedure Explorer

Windows Tools to gather the data from the targeted computers within the University are:

• HBGray’s fastDump
• Netfile
• HBGray’s F-Response
• Netusers as well as Qusers
• Ipconfig - to gather the details of the subject system
• Doskey Tool to gather command history

The approaches of the University must incorporate the forensic thinking: The approaches ought to be applied to an individual who is commissioned for monitoring  or controlling the system and the network and execute the investigation procedure for the issues faced by the University under favorable conditions (Kipper, 2007). The University also has the additional forensic approach for the individuals handling the incident forensic investigation. The approach must clearly describe the role and responsibility of every individual who participates in the digital forensic investigation procedure of the issue. The University’s policy should be clearly explained about what activities should be executed under diverse situations as well as address the usage of the counter-forensic tools and techniques (Thompson, 2005).

Incident handling team must have a robust digital forensic ability: Team, which handles the incident or issue must have a number of the members who surely is capable of executing every type of digital forensic activity. Information Technology along with Hands-on activities including training courses for a study about the forensic investigation are very useful for developing or maintaining the ability so they can exhibit the innovative technologies and instruments.

Computer Forensics as well as Effective Network: Computer Forensics and an effective network are needed for executing several kinds of tasks within the University, these tasks, consider troubleshooting functional difficulties, investigating crimes and improper behavior, supporting the due determination to keep up the audit records, recovering the unintentional damage and so on. Without such kind of capability, the University will confront difficulties in deciding the harmful incidents occurred in the network and system of the University (Lee, 2012).

The usage of both personal and digital technologies for professional purposes will be filled with the data source. The most obvious and common data source are servers, desktop computer, network storage gadgets, and laptops. The illustrations of the outside storage forms of information or data include memory chips, thumb drives, flash card, optical disks and magnetic disks. The standard PC system likewise has volatile data which can be temporarily available. Numerous sorts of a computer system related gadgets like audio players, digital camera’s as well as digital recorders for the (DFI) Digital Forensic Investigation procedure. The data or information is stored in different places, for instance, there are several sources to store data within the University regarding network activity and application usage. Data can be completely stored by University for some activities for example Internet Service Provider activities (Mellars, 2004). The examiner ought to consider the proprietor of the every single data source. The other technique from which the data can be gathered and can be accomplished by observing the behavior of the client. The case of such kind of data gathering technique is checking the keystroke which keeps the records of keyboard usage in a specific system. The authorization that executes such kind of checking must be examined with the consultant and then recorded very distinctly in the University policy.

When the potentiality of the information or data source is known then the expert need to acquire the data from different sources. The forensic investigation processes must be executed utilizing three simple or easy steps. In the first step make a brief plan to acquire the data. After the data has been acquired, then verification of data quality must be done. Acquiring and confirming the integrity of the Operating System data, application data, data files, as well as system traffic data are clarified in the most elaborate way (Moore, 2005). The initial step is to build up a plan as there are different sorts of the data sources in the University. The investigation plan must be developed which provide priority to the establishments and the sources of the request of getting the data. In case if the safety equipment has not procured the data, there is a requirement for procuring data with the assistance of forensic equipment, these data can be non-volatile as well as volatile (The Rising Cost of Digital Evidence and its Hidden Fees, 2015). Data acquisition should be possible on the system or locally. If data is acquired from the system, then the conclusion should be made as per the sort of data which is stored as well as the efforts made to utilize it. For instance, it is mandatory to accumulate the records of several kinds of framework across several sorts of network association. Finally, the verification of gathering data must be finished to drafting the quality of data (Nikkel, 2006).

Install Secure Software: Sophos is accessible as a download for Windows, LINUX, and Mac systems from Information Software software grid. When the software is installed, it should be set up to scan the important files of University and update the virus definitions regularly.

Select strong passwords: Select strong passwords such as with strong letters, numbers, along with special characters to make a mental image and an acronym which is easy for students and staff members to keep in mind. Create a unique password for every important email account and change the password regularly.

Patch: University prepares its computer system to adapt several updates such as Operating System update as well as Automatic Software update. Unpatched automatic systems most probably need software vulnerabilities, which help system to protect it from exploitation (O'Connor, 2004).

Manage access to the System: Don't leave the system logged on in an unprotected area and unattended, especially within public places including Athena clusters as well as Quickstations. The physical safety of the system is also vital like its technical safety.

Backup: Backing up the University machines or computer system on a regular basis can secure a system from unexpected spams. Keep a backup of some months and ensure that the documents can be easily retrieved if required. Install and download CrashPlan and figure out how to backup the system (Satpathy, Pradhan and Ray, 2012).

Utilize the Email’s and the Internet securely: Ignore spontaneous emails, and be careful about connections, links as well as different forms in which the emails are sent by unknown people, and which appear spammed. Avoid unprotected downloads of freewares from shareware websites.

Protect Delicate data: Reduce the danger of personal identity theft. Firmly remove delicate data documents from the hard drive, this is additionally recommended when repurposing or recycling the computer. Utilize the encryption equipment built into the operating framework to secure delicate files required to retain.

Use safe connections: When associated with the web, information while in transmission mode should be vulnerable. Use remote network and secure document exchange systems when off campus (Schmitknecht, 2004).

The University must make important rules and methodologies to carry out the forensic investigation task:The rules for executing the forensic investigation task includes, explanation of different methodology uses in the process of forensic investigation must perform as well as, explanation of the plan for performing the tasks within a given time period and within a proper sequence is also given. Whenever the logs, as well as another sort of data,  modified the University, ready to take  assistance from its ways, policies, and guidelines for demonstrating reliability and quality of the records. The guidance and ways properly reviewed and maintained to make sure that they are precise or not.

The University must include several teams to take part in the digital forensic investigation: Every person who executes the digital forensic methodologies reached to the person as well as other team members to the University according to their needs. The groups which can give help in this case include Information Technology professionals, physical security staff, management, legal advisor, and HR people.

The University must figure out which party will deal with every segment of forensic investigation:

Many Universities depend on the mixture of some external parties, which do the forensic investigation with the help of University’s own staff. The University must keep in mind that, which task is going to handle by which party as per their skills, cost, data sensitivity, ability and response time.

Conclusion

This study concludes that the Digital Forensic Investigation (DFI), provides a best forensic investigation of the electronic media systems, servers, floppy diskettes, laptops, hard drives, thumb drives, PDAs, flash drives, cell phones, CD-ROMs and so on. Every work filed such as Universities, Schools, Business Enterprises and Healthcare industries need DFI for its University to secure its computer system from frauds and need a digital forensic expertise. It has been concluded that the digital forensic examination is a very special part of the digital examination where the techniques and rules that  utilized will let the outcomes to entered in the law court. Document examiners, as well as e-crime forensic professionals often, work together on difficult cases to look at and analyze some questioned documents such as mobile digital or fixed data storage files as well as CCTV footage. Experts can likewise track the every movement of a suspicious person, witnesses along with victims with the help of cellular networks. This study concludes that the Digital Forensic Investigation (DFI) plan if fruitfully conducted then Email spam technical issue which ABC University faced is easily recognized. It has also been concluded that after introducing the effective computer forensic plan University is able to help its students to be free from email spam fraud.

References

Ayers, D. (2009). A second generation computer forensic analysis system. Digital Investigation, 6, pp.S34-S42.

Baek, M. and Lee, S. (2013). A New Investigation Methodology of Marine Casualties and Incidents using Digital Forensic Techniques. Journal of the Korea Institute of Information Security and Cryptology, 23(3), pp.515-530.

Casey, E. (2004). Digital evidence and computer crime. London: Academic Press.

Casey, E. (2015). Strengthening forensic science. Digital Investigation, 12, pp.A1-A2.

Chaurasia, G. (2015). Issues in Acquiring Digital Evidence from Cloud. Journal of Forensic Research, s3.

Cohen, M. (2008). PyFlag – An advanced network forensic framework. Digital Investigation, 5, pp.S112-S120.

Dudley-Gough, N. (2006). Digital Forensic Certification Board. Digital Investigation, 3(1), pp.7-8.

Erickson, E. (2014). Criminalistics laboratory manual. Waltham, MA: Anderson Publishing, Elsevier.

Hitchcock, B., Le-Khac, N. and Scanlon, M. (2016). Tiered forensic methodology model for Digital Field Triage by non-digital evidence specialists. Digital Investigation, 16, pp.S75-S85.

Kipper, G. (2007). Wireless crime and forensic investigation. Boca Raton, FL: Auerbach Publications.

Lee, S., Lee, K., Park, J. and Lee, S. (2012). An on-site digital investigation methodology for data leak case. Security and Communication Networks, 7(12), pp.2616-2626.

Mellars, B. (2004). Forensic examination of mobile phones. Digital Investigation, 1(4), pp.266-272.

Moore, R. (2005). Search and seizure of digital evidence. New York: LFB Scholarly Pub.

Nikkel, B. (2006). A portable network forensic evidence collector. Digital Investigation, 3(3), pp.127-135.

O'Connor, O. (2004). Deploying forensic tools via PXE. Digital Investigation, 1(3), pp.173-176.

Satpathy, S., Pradhan, S. and Ray, B. (2012). Application of data fusion methodology for computer forensics dataset analysis to resolve data quality issues in predictive digital evidence. The International Journal of Forensic Computer Science, pp.16-23.

Schmitknecht, D. (2004). Building FBI computer forensics capacity: one lab at a time. Digital Investigation, 1(3), pp.177-182.

The Rising Cost of Digital Evidence and its Hidden Fees. (2015). Journal of Forensic Research, 06(04).

Thompson, E. (2005). MD5 collisions and the impact on computer forensics. Digital Investigation, 2(1), pp.36-40.

Vaughan, C. (2004). Xbox security issues and forensic recovery methodology (utilising Linux). Digital Investigation, 1(3), pp.165-172.