Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1. Carefully read each case and assign each DETAILED procedure or evidence prese

ID: 3904012 • Letter: 1

Question

1. Carefully read each case and assign each DETAILED procedure or evidence presented in above given case study to the appropriate OSCAR investigation phase. The objective of this question is to ORGANIZE the details of your assigned case and compare to an appropriate OSCAR phase. Do not worry if the case procedures do NOT exactly match OSCAR methodology. Rather, focus of the details of the case network forensic procedures.

OSCAR Investigation Methodology Phase

Investigation Procedure or Evidence of the Case

Obtain Incident Information

Obtain Environment Information

Strategize or plan for the investigation

Collect Evidence

Analyze Evidence

b) Brief summary of background information and potential risks

b.1 Tools used in the investigation process, including their purpose and any underlying assumptions associated with the tool

b.2 Evidence Item #1

a. Summary of evidence found

b. Analysis of relevant portions

Repetition of above steps for other evidence items (which may include other computers and mobile devices, etc.)

b.3 Findings or Results

b.4 Recommendations

OSCAR Investigation Methodology Phase

Investigation Procedure or Evidence of the Case

Obtain Incident Information

Obtain Environment Information

Strategize or plan for the investigation

Collect Evidence

Analyze Evidence

1.1.1 Hospital Laptop Goes Missing A doctor reports that her laptop has been stolen from her office in a busy U.S. metropolitan hospital. The computer is password-protected, but the hard drive is not encrypted. Upon initial questioning, the doctor says that the laptop may contain copies of some patient lab results, additional protected bealth information (PHI) downloaded from email attachments schedules that include patient names, birth dates, and IDs, notes regarding patient visits, and diagnoses. 1.1.1.1 Potential Ramifications Since the hospital is regulated by the United States' Health Information Technology for Eco- nomic and Clinical Health (HITECH) Act and Health Insurance Portability and Account- ability Act (HIPAA), it would be required to notify individuals whose PHI was breached.2 If the breach is large enough, it would also be required to notify the media. This could cause significant damage to the hospital's reputation, and also cause substantial financial loss particularly if the hospital were held liable for any damages caused due to the breach. 1.1.1.2 Questions Important questions for the investigative team include: 1. Precisely wben did the laptop go missing? 2. Can we track down the laptop and recover it? 3. Which patient data was on the laptop? . How many individuals' data was affected? 5. Did the thief leverage the doctor's credentials to gain any further access to the hospital network? 11.1.3 Technical Approach Investigators began by working to determine the time when the laptop was stolen, or at least wben the doctor last used it. This helped establish an outer bound on what data could have been stored on it. Establishing the time that the laptop was last in the doctor's possession also gave the investigative team a starting point for searching physical surveillance footage and acoess logs. The team also reviewed network access logs to determine whether the laptop was subsequently used to connect to the hospital network after the theft and, if so, the location that it connected from

Explanation / Answer

OSCAR is a computer forensic investigative methodology especially designed for computer networks to accurately collect the information regarding a crime by obtaining the evidence through analysios of the network related data like device logs, email or internet history etc.,

OSCAR is a five-fold investigation method having the following phases of investigation:

The following is the OSCAR investigation documentation for the theft of doctor’s laptop that took place in the hospital

Information about the incident :

A Laptop of a doctor at U.S metropolitan hospital was stolen and complaint was reported. The laptop that was stolen was reported to be the one with a password protected access and the data on the hard disk drive was not encrypted .It was also reported that it may have copies of sensitive information regarding the lab reports of patients and their primary health information records.

The theft might have most probably took place in the busy working hours of the hospital which may have leveraged the potential of weak observation of surveillance systems by the security staff.

Date and time of the incident:

Unspecified and is needed to be obtained from CCTV surveillance footage

Person involved

A visitor whose identity is unknown

System and data involved

CCTV footages from visitor parking garage, entry logs,WiFi router logs and hospital e-mail server logs

Action taken since discovery

Complaint was lodged by the victim at the police station

Legal issues

The required documents for logging a complaint in the prescribed format are required

Possible evidences or witnesses have to be produced

Goals

Obtain the time of the theft

Acquire the logs of wireless access points, email servers and other device logs that may provide the evidences or any other information related to the incident

Environment Information

The incident was took place in a hospital building which is busy most of the time. The hospital is equipped with video surveillance and standard office IT infrastructure with network access

Business model : Community Health Provider

The hospital can be considered as a standard office infrastructure in terms of IT and network equipment available

Network Topology

LAN , Mobile AP facility,VPN enabled

Available sources of network evidence

Active directory logs,Wifi access logs,DHCP lease assignment logs,web proxy logs

Incident response management process/procedures

The other IT related equipment were needed to be encrypted immediately and the backup of the data copies needed to be taken on regular intervals to avoid loss of data.Physical securing and monitoring of equipment is required to avoid recurrence of such incidents

Communication system (is there a central incident communcation system/evidence repository)?

The surveillance is centralized which is the only possible evidence resource

Potential risks

The Stolen Laptop is reported to be holding the health records and lab reports of the patients which may reveal sensitive information like names,date of biths,IDs,diagnosis information and visits

The hospital is under the regulation of US Health Information Technology for Economic and Clinical Health(HITECH) and Health Insurance Portability and Accountability Act(HIPAA)

The hospital needs to notify the patients about the breach and also to the media based on the level of breach which may be reflected on the reputation of the hospital

Risks observed:

1.Reputation of the hospital will be degraded due to data braech

2.the hospital needs to be liable for any substantial financial loss to any of the patient if the data was misused

3. Misuse of doctor’s personal information stored on the laptop

4.Loss of the data caused by formatting or any damage to the stolen laptop

5. Access to information repositories like hospital database by Impersonation through misuse of doctor’s credentials by the attacker

Tools used in investigation process:

hard drive analyser:

it performas the following operations

network analyzer tool

Network Mapper

Evidences Found:

Evidence Item #1:: Wireless Access Point Log

A Wireless Access Point Log was recovered by the network administrator which provided all the device access logs of the hospital network access through the Wifi.The Lost Laptop has a wifi facility and was supposed to have been connected at the time of the incident

This evidence pin pointed the time of the theft as the logs provided the information that the wifi being disconnected by the laptop as it was taken away form the coverage of the wireless access point during the theft

Evidence Item #2:: Video footage from CCTV camera located at the hospital paking

A video footage was recovered from the surveillance camera backup Based on the time of theft form evidence #1 ,surveillance cameras were observed and found the trace of the theft in the video footage of a tall man wearing scrubs who passed out through visitor’s parking; left the hospital building in a car along with a person.

The footage was not very clear to identify the face of the thief but it revealed the licence plate details providing a clue for the thief’s identity

Findings of the investigation

Recommendations

From the above investigation criteria,the following are to be implemented in the hospital's infrastructure as a defensive mechanism  

Related Questions

1. Can management of a company such as Research in Motion (RIM) use cycle time a
Question #340587
1. Can some please help me with these fill in\'s? I am not sure I have the right
Question #402902
1. Can someone explain this java program to me in detail step-by-step. I want a
Question #3555795
1. Can someone explain this java program to me in detail step-by-step. I want a
Question #3556269
1. Can the MyMagic+ platform be considered a success? Why or why not? What are t
Question #396362
1. Can the a cart move continiously, first toward a motion sensor and then away
Question #1277885
1. Can the basic interpersonal communication model be used as an aid in understa
Question #3857398
1. Can there be a compromise in diet choices? Would you benefit from only eating
Question #3449576

Navigate

Previous
1. Carefully justify why a DC signal can be thought of as a 0-Hz AC signal. 2. A
Next
1. Carefully read the lab manual for the Electrical Measurements, Oscilloscope a

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.