Discuss about the Digital Forensics for Needful Things Ltd.
Needful Things Ltd. is a company known for providing specialized industrial battery servicing. Mortimer Smith was the best worker of the enterprise (Peterson and Shenoi 2016). The CEO, Ricardo Sanchez pleased with his performance even parted trade secrets of the company, however, Smith resigned and started a company which will provide battery servicing.
The CEO started an investigation and now claiming Smith took away confidential data of the company. The CEO is suspecting that he probably steals all the clients' data and wants to start his own business. Thus a forensic examiner has been hired and the entire report has discussed the investigations procedures elaborately.
A forensic examiner receives a phone call from the CEO detailing his story, advises the forensic examiner will provide to the CEO
The forensic rule states that the crime scene must be made ‘frozen’ after the crime has been committed. Therefore, a forensic examiner must freeze the location where Mortimer Smith used to sit. The drawers and lockers must be freeze as well. The forensic examiner must advise CEO of Needful Things Ltd to calm down and relax (Nance and Bishop 2017). The forensic examiner must also please him by saying that as a forensic examiner it is his responsibility to take charge of everything. Ricardo Sanchez should not start the investigation himself, any wrong step can be fatal, instead, he should cooperate with the forensic examiner. The CEO must declare a day off, investigation in the regular office hours can be hectic and there is a chance that evidence can be stolen (Sang 2013). The seat of Mortimer Smith, the drawer, the locker, the phone will be thoroughly examined and the forensic examiner must handle this himself. The evidence collected must resemble the current scenario while being presented to the court that is the reason why the crime scene must be frozen.
The forensic examiner expected to attend an interview with CEO, an HR representative and a member of the Needful Things IT Department
The forensic examiner must ask the CEO about the character and personality traits of Mortimer Smith. The forensic examiner must ask about the workings of the company or the business activities they carry out in short. The CEO told that he imparted knowledge and the trade secrets to Smith (Van Baar, Van Beek and van Eijk 2014). The CEO must explain in details the particular trade secrets he imparted, in this way the forensic examiner can get to know the trading techniques in details and can be aware of what exactly Mortimer knows. Only after knowing the details the investigation can be started.
The HR must have the details of the resignation of Mortimer Smith and Avon Burman, the emails they sent, the exact time and date when they sent emails can prove to be helpful for the investigation (Braun 2014). The forensic examiner should ask for the supportive documents that are why they must seize the computer, the hard drive as well as the server called ‘Titanic01'.
The IT Department staff has the call list. The call list can let us know the clients or any persons whom Smith and Burmon call. The forensic examiner should ask for the call list. The desktop and hard drive they use must have the necessary information thus the forensic examiner should ask for the hard drive and the desktop. Some excel sheets and the word documents that are password protected must be opened and accessed and so the IT department staff must provide the password (Braun 2014). The forensic examiner must ask for the password, if the verification fails then the forensic examiner will have to imply the brute force attack to open and access those password protected files.
During the interview, the phone and desktop of Mr Smith are presented to the forensic examiner for examination and it is expected from him to prepare chain of custody, and steer the CEO in the best possible direction to get the best outcome of the investigation
The forensic examiner must consider the digital evidence while conducting the investigation. The crime is somewhat related to copyright infringements and in this case he can copy the trade model and the infrastructure of Needful Things Ltd. and can use for their own benefits. Both Smith and Burman can steal the clients’ data as well. Thus the CEO must cooperate in preparing the chain of custody. In case of the copyright infringements the following evidences are taken in to consideration, they are- address books and the contact lists, the cloning software, scanners and the printers, CD-DVD/RW, USB drive, gain access to the peer-to-peer networks (Årnes 2017). In this case the contact list can prove to be helpful to know the persons or the clients Smith call and communicate. The last couple of months’ data can do the job. Also some CD/DVDs have been found that can prove to be helpful for the investigation. The files found on the CD/DVDs can be helpful for continuing the investigation procedure. One 16 GB Kingston USB memory card has been found which consist of Excel files. One of the excel file that has been found contain a suspicious file named as CLIENTS2017.xls. The original files residing in the ‘Titanic01’ must be collected. The network printers can be equally beneficial; they act as the printer server that acts as storage for printing logs. The access to distribution network is one form of digital evidence, the company’s Internet Gateway Firewall gives all the information regarding the outgoing internet activity and the incoming internet activity. Smith’s internet search history can be accessed by this way (Marturana and Tacconi 2013).
The CEO must verify all the files and should compare with the files stored in the server ‘Titanic01’. The files which are confidential stored in the computer and the hard drive must be identified, if those files are password protected then he must provide the password to open and access those files, if those files are not accessible, then the forensic examiner must access those files by brute force method. Thus it is absolute necessity to recognize the files to prove Smith criminal and The CEO must help by every means.
A breakdown of what types of evidence the forensic examiner will deal with, details of the facts surrounding the investigation
The investigation is based on the copyright infringement. The copyright infringement consists of the VOIP phone’s contact lists, the network scanners, the USB drive, the CDs. The copyright infringement can assist in finding out the vital information that can prove that Smith has committed a crime. The CEO mentioned earlier that he found a suspicious excel file on the 16 GB Kingston drive and the file CLIENTS2017.xls is password protected. The file needs to be accessed and contents should be analysed (McClelland and Marturana 2014). The Internet Gateway Firewall caters all the information with regards to the outgoing and the incoming internet activity. This can assist in trace out Smith’s Internet search history. The call list of the VOIP phone can be helpful to know the clients with whom he chatted and the person whom he communicated. The resignation of both Smith and Burman will be recorded. The latest battery servicing company founded by Smith and Burman will be checked and the workings will be tracked of. Comparing the papers of the two companies can help to know whether they have copied the documents from Needful Things Ltd or not (Tanimoto et al. 2015). The VOIP phones call lists, the company’s document papers, the Internet browser history, password protected files; the hard drive containing confidential data of the clients can provide the evidence.
An account of what the forensic examiner would do to the evidence, with supporting Documentation
The evidences have been collected and based on the evidences the investigation must start. The file carving in the desktop must be conducted; the file carving will bring back the deleted fragments of data. The data which Smith deletes recently can be achieved by file carving methodologies (Sutardja, Ramadan and Zhao 2015). The email analysis can help to trace the webmail on the hard disk. The email analysis can help to know the deleted emails as well. The documents over the CDs and the USB drive can be analysed, the timestamps, MD5 Hashing and the metadata information can be analysed to get to the solution. The password cracking software can prove to be helpful to crack the specific files over the CDs and the USB drive. The Internet usage analysis can help to know the Internet surfing data of Smith. The hard disk space analysis can be beneficial to solve the case. There are fragments in the hard disks that remain unallocated and analysis of those fragments can be helpful to know the deleted files. The deleted files can be useful for the investigation. The files stored in Smith’s computer must be analysed and will have to determine the type. In this way the investigation should be carried on and documentation must be done based on this (Sharma and Dhavale 2016). The recovery files retrieved as a result of investigation must be checked with the files stored in the server ‘Titanic01’. Finally those recovery files must be verified by the CEO, if matches then Smith will be found guilty.
Making presumptions on the findings or answers to the interview questions
The CEO already stated that Smith knew many trade secrets of Needful Things Ltd. and Smith also mentioned he wanted to initiate a company who will provide the specialized industrial battery servicing facilities. The CEO of Needful Things Ltd. also searched the Internet and found a new company with similar workings has been found and Smith is the Director of the company (Rumsey 2016). Burman, another employee of Needful Things Ltd. resigned at the same time and both Smith and Burman are the Directors of the new company. This is quite obvious and can be assumed that both Smith and Burman will use their expertise and trade secrets to flourish their new company. Again, the file named CLIENTS2017.xls is password protected and by the name of the file it can be assumed that the file contains the clients’ data of Needful Things Ltd. in the year 2017 (Zhao, Sutardja and Ramadan 2015). It may happen Smith and Burman can provide services to the clients as representative of their new company. Thus it can be presumed that Smith is guilty, in other case it may happen Smith is innocent, the forensic examiner must analyse everything from core and should take the correct decision.
Supporting additional documentation to the forensic examiner’s written submission that will be accepted
Needful Things Ltd should have CCTV camera installed at their premises. The video footage can act as a good evidence to detect the crime. The forensic examiner should collect the video footage of couple of months and should observe Smith more attentively. It may happen some more clues or evidence will emerge that can help the forensic examiner (Zhao, Sutardja and Ramadan 2015). However, the abnormal behavior if found any in the footage must be recorded and must be documented as this can help in the investigation.
It can be concluded from the above discourse that the digital forensics can assist in finding out the truth. As a forensic manager, what advice should be given to the CEO has been highlighted. The enquiry questionnaires that must be presented to the HR, The CEO and the IT Department Staff have been showcased in the report. All the evidence that can assist in the investigation procedure has been detailed in the report as well. The presumptions about the case have been discussed. The documentation must be prepared to support the evidence and the case. The breakdown analysis of the evidence and the additional supportive documentation has been presented in the report which can support the investigation procedure.
Årnes, A. ed., 2017. Digital Forensics. John Wiley & Sons.
Braun, S., 2014. Forensic Evidence of Copyright Infringement by Digital Audio Sampling, IJCSDF Vol. 3, No. 3, 07-2014. Stefan Braun... Medien & Design.
Braun, S., 2014. Forensic evidence of copyright infringement by digital audio sampling analysis-identification–marking. International Journal of Cyber-Security and Digital Forensics (IJCSDF), 3(3), pp.170-182.
Marturana, F. and Tacconi, S., 2013. A Machine Learning-based Triage methodology for automated categorization of digital media. Digital Investigation, 10(2), pp.193-204.
McClelland, D. and Marturana, F., 2014, June. A Digital Forensics Triage methodology based on feature manipulation techniques. In Communications Workshops (ICC), 2014 IEEE International Conference on (pp. 676-681). IEEE.
Nance, K. and Bishop, M., 2017, January. Deception, Digital Forensics, and Malware Minitrack (Introduction). In Proceedings of the 50th Hawaii Internatinal Conference on System Sciences.
Peterson, G. and Shenoi, S. eds., 2016. Advances in Digital Forensics XII: 12th IFIP WG 11.9 International Conference, New Delhi, January 4-6, 2016, Revised Selected Papers (Vol. 484). Springer.
Rumsey, F., 2016. Audio Forensics: Not an Episode from CSI. Journal of the Audio Engineering Society, 64(6), pp.440-444.
Sang, T., 2013, January. A log based approach to make digital forensics easier on cloud computing. In Intelligent System Design and Engineering Applications (ISDEA), 2013 Third International Conference on (pp. 91-94). IEEE.
Sharma, S. and Dhavale, S.V., 2016, January. A review of passive forensic techniques for detection of copy-move attacks on digital videos. In Advanced Computing and Communication Systems (ICACCS), 2016 3rd International Conference on (Vol. 1, pp. 1-6). IEEE.
Sutardja, A., Ramadan, O. and Zhao, Y., 2015. Forensic methods for detecting image manipulation-copy move. Technical Report No. UCB/EECS-2015-84, Electrical Engineering and Computer Sciences, University of California at Berkeley.
Tanimoto, S., Kakuta, T., Sato, H. and Kanai, A., 2015, July. A Study of Cost Structure Visualization for Digital Forensics Deployment. In Applied Computing and Information Technology/2nd International Conference on Computational Science and Intelligence (ACIT-CSI), 2015 3rd International Conference on (pp. 428-431). IEEE.
Van Baar, R.B., Van Beek, H.M.A. and van Eijk, E.J., 2014. Digital Forensics as a Service: A game changer. Digital Investigation, 11, pp.S54-S62.
Zhao, Y., Sutardja, A. and Ramadan, O., 2015. Digital image manipulation forensic. Technical Report No. UCB/EECS-2015-125, Electrical Engineering and Computer Sciences, University of California at Berkeley.