As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Windows based, this plan should detail following:
Information technology has become integral part of the human life, no matter of the age. And businesses have exploited the information technology to a great extent that every business activity is automated to decrease the time and increase the productivity. Though it is a good and encouraging aspect with the IT, the cyber crimes are also increasing at the same pace. So, the companies have to emphasize on the security of the intellectual information as the companies do for the automation through the information technology. Global Finance company has materialized its vision of globalization through information technology and faced the challenge of the compromise of the system. The digital forensic investigation team can encounter such challenges to find the sources of the compromise and secure the systems and network back with necessary safety standards.
Global Finance company is one of the huge companies in Australia, with wide range of finance products and wide range of customers, throughout the world. The company has enabled the information technology with necessary infrastructure in the head office and all of its child organizations. A suspect of compromise has been detected from the manager’s computer from the Queensland branch, which is one of its child organizations. The investigation audit team is formed to investigate the source of the compromise. The team has been deployed in the branch office to conduct the digital forensic investigation.
Global Finance is the company that needs the digital forensic investigation done by the audit team. The case study includes the following important points about the company.
Digital forensic methodology is preferred to be processed or executed by the information security office. It is because all the other methodologies, like computer forensic, mobile forensic, network forensic and data recovery can give partial investigation results rather than complete investigation of the source of the compromise, as these are all the sub branches of the digital forensic.
Digital forensic investigation conducted for the regional office of the Global Finance Company has the following scopes.
The audit team of the Global Finance Company can follow Four Step Forensics Process or FSFP. This digital forensic investigation model stands to be a most effective model for investigation of the compromise happened in the regional branch of the Global Finance Company.
Digital forensic investigation needs a lot of resources to successfully process and create a report for the same. It demands technological support with the tools, techniques to implement the processes as well as it demands the expertise of the audit team in multiple dimensions.
Digital forensic methodologies that can be implemented are static methodologies and dynamic methodologies. Various tools, like EnCase, ProDiscover and many other tools are needed to conduct thorough check on the existing network system present in the branch office.
ACPO or Association of Chief Police Officers is the standard guideline set consisting of four principles. When the computer or digital forensic investigation is conducted, the audit team has to follow the following principles.
Principle 1: The data present and collected from the targeted computers are to be preserved as is, without performing any alterations or changes.
Principle 2: The data collected must be well preserved safely, so the audit team must have enough expertise and should be enough competent to handle the collected data safely, and whenever it is required, the course of action during the processes must be explained with necessary evidences.
Principle 3: All the documentation and audit trails must be created clearly and should be preserved. When the third party executes the process, the same results are expected.
Principle 4: Each and every team member of the audit team should be responsible for the entire investigation conducted.
The audit team members should posses enough expertise in the core level operating system, networking system and the necessary tools and techniques needed to use for the investigation. The skill set must be extended to the multiple dimensions, like cyber crime knowledge, legal procedures and many related to the same.
Digital evidences must be collected from the workstations of the managers, others and the servers present in the regional office. The following evidences are useful.
Digital evidence collection: Digital evidence acquisition in the regional branch of the Global Finance company has to be done in two stages.
Volatile memory is the temporary memory, for which the data is held, only while the workstation or server is working. Primarily volatile memory is RAM. Same LAN must be accessed to access the manager’s computer to acquire this data.
Give the command, cryptcat 6543 –k key
Computer data can now be acquired with the command,
cryptcat -1 –p 6543 –k key >>
In addition to these commands, graphic user interface tools, like Tcpview, Rootkit Revealer and Process Explorer would be helpful to the team to retrieve the volatile data like, system data, time, logged user, open ports, running processes and network connections.
There are many other tools used for Windows based systems for volatile data capture are,
netusers and qusers, netfile,HBGra’s F-Response, ipconfig, HBGray’s FastDump, doskey, to identify all the network traffic towards the manager’s computer.
The clipboard content which is potential digital evidence is also collected by the team.
Permanent memory or non volatile memory stands significant source for the digital forensic investigation. Permanent data is collected through both online and offline methods.
Offline data is collected from the hard drive duplicator tools, such as FTK imager, Guymager, DCFLdd, IXimager and EnCase are used to collect the data from the hard drives of the manager’s workstation, other workstations and the servers. Other permanent storage devices like CD, DVD, memory cards, flash drives, pen drives and other drives are also collected from the office.
Online data, like firewall logs, antivirus logs and domain controller logs is collected with the help of tools like ethereal and Wireshark tools.
Once all the potential digital forensic evidences are collected, detailed examination is done by comparing the original and logical copies collected and checked for any hypothesis and deviations. Such examinations can give clues of how the manager’s computer is compromised.
Detailed examination is done for windows registry, network forensic, file system and database forensic. The team uses the following commands for the same.
c:echo text_mess > file1.txt:file2.txt
the above file is then retrieved through the command,
windows registry examination is done with the following hives and structures present in it,
Network forensic is enabled using the tools and techniques so that the following potential information can be accessed from the manager’s computer.
The above information can be accessed with the network forensic tools, NetStumbler, TCPDumpWindump, Wireshark, Sleuth Kit and Argus.
Many tools and methodologies are used by the audit team to analyze the collected and examined evidences. Analysis is done according to the following.
The tools used in this phase for the team are EnCase, FTK and ILOOKIX. These tools are helpful to recover the internet documents, chat logs, emails, images, internet history, accessible and deleted space from the manager’s computer and cache files of OS. Hash signature forensic tool helps to find notable files. When SSD drives are present in the systems, even after secure erase operations also the data can be recovered.
Once the analysis is done by the team, it extracts the answers for the following objectives.
The final report is generated by the audit team, with all the documented information.
Purpose of the Report
Digital Forensic Investigation conducted on the compromise of the manager’s computer in a regional office of the Global Finance Company
Author of the Report
The audit team
The sources of compromise are x, y, z reasons
All the effected files, registry data, log data
All the analyzed data from the analysis part
All the digital evidences are extracted and the sources of compromise are found
Documents to Support
Volatile and non- volatile data, tool generating info, log info and registry info and so on.
The source of compromise of the manager’s computer in the regional branch of Global Finance Company is found through digital forensic investigation.
MyAssignmenthelp.com delivers assignment help to millions of students of USA. We have in-house teams of assignment writers who are experts on wide ranges of subjects. We have appointed teams of native writers who provide assignment help to students in New York City and all over the USA. They are skilled assignment writers who successfully cater to search terms like do my assignment in the USA
You are required to write a researched argument essay that convinces persuades the reader of your position / stance. This is an academic, researched and referenced do...Read More
Executive Summary The purpose of this report is to elaborate the factors which are considered by individuals before selecting an occupation. Choosing an occupati...Read More
Introduction With the increase enhancement in the field of technology, it has been considered essential by the businesses to implement such technology in their b...Read More
Executive Summary In a merger & acquisition, role of an HR has emerged as a very critical function. At each stage of merger and acquisition process, HR plays a s...Read More
Introduction In this competitive business environment where every business organization is trying to attract the customers of each other, it becomes essential for ...Read More