Task1 - Investigative Plan of Action

.docx

School

Western Governors University *

*We aren’t endorsed by this school

Course

D431

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

3

Uploaded by CorporalArmadillo3991

Report
D431: Digital Forensics in Cybersecurity Task 1: Investigative Plan of Action Western Governor’s University Susan Crowe 3/7/2024
A1. Discuss the strategy that your team will use to both maximize the collection of evidence and minimize the impact on the organization. At the beginning of a potential incident requiring a Forensics investigation, a key team would be engaged at a high level to develop a plan of action. This meeting would include relevant management from the oil company, members from the legal team, possibly the compliance team, and the cybersecurity investigation team to start. The following objectives will be executed to maintain minimal exposure as well as ensuring using personnel time as efficiently and briefly as possible. Involving the right stakeholders would be essential to discuss the situation and gather any initial known information to help determine the specific data gathering needs. Initial information regarding the violator’s position, responsibilities, expected access levels, typical job functions, etc. to help create a boundary of expected actions vs. inappropriate actions. Additional information would also include written policy document collection to help identify any actions that violate documented acceptable and unacceptable actions. A2. Describe the tools and techniques your team will use in evidence gathering, preparation, and analysis. The process of collecting evidence will require multiple techniques as well as tools to extract information and ensure the integrity of the data is maintained as carefully as possible. There may be a requirement to attempt to recover deleted files, also known as data carving or file carving. This would require a forensics analyst or specialist to search a computer system and it’s memory for fragments of files that were deleted at some point but left traces on the machine. If available, tools would be leveraged to create exact copies of the media for testing and investigation. This would ensure that the original disk is left intact and the user would likely have no knowledge of the investigation in progress. In order to execute a task like this, FTK and EnCase would be leveraged to enable the ability to copy the data for later analysis . ( Cloudian, n.d.) Log collection devices including a Security Information and Event Manager (SIEM) would be used to pull activity log details for all systems that John Smith had access to, not just his workstation. This would give insight into the activity and specific files that may have been accessed or even where the data was transported electronically. ( Christopher, E., 2021 ) A3. Describe how your team will collect and preserve required evidence using standardized and accepted procedures. Once the overarching issue is better understood based on the roles and responsibilities of the violator in question, evidence gathering can begin. This will be done by collecting data and logs from network and endpoint devices that do not interrupt business operations in any way. This would include collecting logs and leveraging any other cybersecurity tools available within the oil company’s environment. If there are data loss prevention tools for example, information would be gathered to try and monitor and track the data movement to verify what actions the user took. This would all be done by the forensics team with available log archives and tools without much intervention from the organization resources themselves. Initial steps would be conducted without taking control of the violator’s workstation so it would not impact any operational efforts going on within the workplace. Security footage will be another key evidence collection process. If there is security footage available from video surveillance cameras, this information would be collected and reviewed to determine if there is any physical evidence of the violator’s movements in collecting data with evidence of the intent to share, or the actual process of sharing the proprietary data. This could include removable media being plugged into his workstation or devices containing proprietary data or the physical interaction of handing over the information to another party. The initial collection process would be geared towards collecting data and log evidence of events that have already occurred, assuming that this activity was already conducted. Additional protection measures would also be put into place once initial evidence is collected and a chain of custody has been established to maintain the integrity of the data. New protections would be put into place to monitor access attempts as well as prevent further compromise of proprietary data sharing. Physical protections could include implementing a USB block to disallow any external device/media from being attached to the workstation or devices containing the proprietary data that John Smith may have access to. Additional measures may include installing wireshark to run packet captures on the machine during his daily activities. (Henry P., 2009) A4. Describe how your team will examine the seized evidence to determine which items are related to the suspected violation of company policy. Once all known evidence has been collected and a chain of custody process in place, the team would then begin to conduct the investigation to identify any behaviors or evidence that would validate the suspicion of John
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help