You work for CCL Group as a forensic investigator and have been asked to contact

Question

You work for CCL Group as a forensic investigator and have been asked to contact a local company who suspect an employee of breaching company policies. You visit the company and meet with the system administrator and manager who explain that an employee appears to have used a P2P program to download full length movies onto their work computer. It is thought that they have also downloaded a Trojan virus which has resulted in not only the employee's computer system failing to boot, but also caused issues with the entire network.
The employee has been suspended pending the investigation and you will be provided with full access to the computer system and network. The system administrator and manager have confirmed that the employee's computer system has been left 'in situ' and not tampered with, but that the network issue had to be resolved due to the business needing to function as normal.
You are required to plan and carry out an investigation of the employee's computer system and present your findings as a report for the system administrator and manager. You have a timescale of two weeks to plan and conduct your investigation, completing all relevant documentation as well as preparing the final report.

Tasks 1 You are required to produce a documented plan of how you are going to approach your computer forensic investigation, which will be approved by your supervisor. The plan must include the following:

A documented plan for the computer forensic investigation of the employee's system to include: a An annotated diagram of the evidence lifecycle b An explanation of the admissibility of evidence providing four examples of good practice c Identification of the types of evidence that could be gathered for this investigation including a justification of the types of evidence to be collected d Explanation of the precautions that will be taken to preserve the state of each type of evidence e Identification of the hardware and software tools that will be selected to analyse the evidence with a justification of the tools selected f Explanation of the importance of the chain of custody process g Explanation of the evidence handling procedures that will be used. 2 After your supervisor approves your plan, you can now carry out your computer forensic investigation of the employee's computer system. Ensure that you document the investigation process thoroughly to include: a date and time of action b activity type c personnel collecting/accessing evidence d computer description information e disk drive descriptive information f handling procedure g complete description of action: • procedure followed • tools used • step-by-step description of analysis and results h reasons for action taken i notes j collection of evidence k review of evidence l analysis and interpretation of evidence m documentation of evidence (printouts, photographs etc) and Chain of Custody record.

Explanation / Answer

The investigation plan can be given in below points:

1) Identify: Here in this very step, ve identify the various resource, that we have look for the security issues. In the other way, we can say that, here in this step, we identify, what we need to protect or look for the security issues.

2) Asses: As in the first step various assets have been identified, so now in this step, we perform a security assessment on the resources as well as assets identified on the very first step. Here in this step we take care of various aspects of processes as well as of procedures to look for vulenrability as well as of security concerns. On the bases of the assessment, we derive the security issues as well as the security results, which tells about the security related issues of resource as well as of assets.

3) Protect: Here in this step, we work on the security issues found in the assessment step. Here we try to protect our procedures as well as the processes for security threats. We work on the security issure related results and try to protect and mitigate each and every resources involved in the process.

4) Monitor: After protecting the resources and the processes, we have to keep monitoring it, monitoring is required so that same process, procedure or the resource does not show the security concerns again.

Forensics team uses various tools on different platform for preservation, identification, extraction of the computer evidence which can be used in the court of law.
i) The tools used on Unix operating system are given below:
   a) CAINE (Computer Aided Investigative Environment): Its provide the GUI based investigation tool for the forensics team. Its very helpful tool in the digital investigation.
   b) KALI: Its also one of the top most choice of the forensics team members. Its unix based tool, that is being used for digital investigation.
  
ii) The tools used on Windows operating systems as well as on Unix:
   a) Wireshark: Its basically one of the powerful tool for investigation of the data packets on both platforms unix as well as on windows.
  
iii) The tools used on Windows operating systems are given below:
   a) Encase: Its a multipurpose forensics tool used for various types of investigation.
   b) Registry Recon: Its the forensics tool that is being used to build the windows registry entries and can be used for deep analysis of data.
  
iv) Addon Feature to Tools:
   If we talk abouth wireshark that is cross platform tool, the addon feature of snooping the data packets is used to get the optimal results

v) The team uses these tools on the bases of type of investigation. These tools can be used in following ways:
   a) For very high level of investigation, a forensics team lab can be setup, where these tools can be used on multiple servers.
   b) More preference is given to cross platform tools, as they can be used in multiple operating systems.
   c) For small level of investigation, tools can be used on single server only.
  
vi) Team always uses the tools with specific configuration because of following given reasons:
   a) Forensics team always looks for optimal and best results and for that they have to configure the tools accordingly.
   b) For getting the desired informations and proof in quicktime, configuration of tools are required.
   c) To make tools more effective and more secure, various passwords as well as other configurations are being done.
  
The various ethical guidelines that we can publish for the employees are listed below:

1) For employees its required that they accurately represent his or her education details, experience and area of expertise, its help the organization to get the right person for right job.
2) Employees should provide the commitment of continuous learning of new forensic technologies and various forensic disciplines, its help n resolving the forensic case easily.
3) Employees shoulde use as well as promote the latest technologies in the forensic investigation, its required because with lastest technologies, we get better results in less time.
4) Keep secret of the forensic evidence and put them in a save that no body can see or even tamper it.
5) Guideline should be made so that company employees do fair, full and the unbaised investigation of forensic evidence.
6) There should be a guideline to provide complete forensic analysis data in the reports, with this its easy to come to the conclusion.
7) Employees should also document as well as notify the senior management of the company in case of any adverse events like unintended mistake

Related Questions

Navigate

• Browse (All)
• Browse Y
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.