A Digital Forensic and Malware Investigation The business SME is having breaches in security and computer operations, which is causing large amounts of sensitive data to be transferred to unknown sources outside of the company. A team of digital forensic investigators has been hired to locate and correct the cause of the incident. The investigation includes a discussion of appropriate digital forensic procedure, collection, analysis, reporting, and resolution. A detailed discussion of digital, malware, and network investigations along with recommended tools will provide SME with a solution to improve operations. To investigate SME’s incident one needs to determine what exactly has occurred and narrow down the cause. The company may wish …show more content…
To begin this digital forensic investigation interviews with the Information Technology personnel should be conducted to gather details about the computer systems, components, and network. Interviewing staff will aid in determining the impact the incident has caused to the company such as loss of information and/or profits. During evidence collection SME’s business could suffer major financial losses if computers are moved to a crime lab for an extended period. If possible, an on-site investigation would be most efficient for the company. The investigator will need to collect volatile data related to RAM, log files, caches, and network. To collect nonvolatile data clones of the hard drives may be the best option to prevent interruptions to business operations. Since SME is using Windows Server NT an assessment of the contents of the windows registry can reveal an operators actions, including programs accessed, external tools used, and unfamiliar IP address. After collection of data, an analysis in a forensic lab should be conducted. Using timeline analysis the crime can be reconstructed by examining alterations of files. Throughout this entire process it is essential that proper documentation and chain of custody are maintained. Without this documentation digital evidence may be found irrelevant if court proceedings are necessary. When a timeline is established the investigator may begin sorting through data relevant to the incident. The forensic investigation
By performing the tasks required in this lab, many other attributes, references, and system information was gleaned that will benefit forensic efforts in the future. For this lab, the time zone of the computer has been isolated to China Standard Time, which in itself is suspicious. BHOs and add-ins were also located using registry values. Among this, there was only a reference to Bing Bar, which was identified in an earlier lab as a download performed on Jane’s computer. Moreover, this lab uncovered startup applications (UPnP.exe and SCVHhost.exe) that were identified as potentially suspicious in previous labs. Lastly, this lab allowed the student to locate USB storage devices that were connected to Jane’s system as well as the times associated with the connection and removal of the device in the system’s
Electronic evidence is very fragile because it can be destroyed or altered very easily, therefore it is imperative that investigators follow very careful all the procedural steps when collecting electronic evidence (Diversified Forensics). Before any electronic evidence is gathered investigators should determine whether there is probable cause that a crime has been committed, or if the crime was committed somewhere else the investigator should determine whether the electronic evidence will aid the investigation process to prove or disapprove the crime, if a warrant is needed it must be obtained prior to collecting the evidence (Diversified Forensics). Hard drives, computers, and other electronic devices must be turned off, unplug all cables,
For this reason, it is imperative that the information gathered is reliable and accurate to ensure the evidence collected can be utilized by the digital forensic investigator for the current case (Ingalls & Rodriguez, 2011). Additionally, cyber incidents require digital forensic investigators to interview various individuals regarding the information needed for the case. According to the National Institute of Justice (2004), interviewing the system administrator, users, and employees of an organization regarding a cyber incident would provide investigators with valuable information; for example, user accounts, email accounts, network configuration, logs, and passwords. Furthermore, for digital forensic investigators to conduct an effective interview, they must have the proper tools and training to employ the interview process. For instance, formal procedures or instructions should be developed and implemented to ensure that the investigator follows a standard during all investigations. Additionally, training should be provided to ensure that digital forensic investigators comprehend by what means to prepare, conduct, and evaluate an interview. Furthermore, resources should be made available for digital forensic investigators to accomplish their tasks; for example, recording devices and references. Also, definitions should be provided to the digital forensic investigators for
When was the last time she accessed her computer? What is her background in computers, what is her skill level? I need some background on the former employee, her computer habits and activities prior to the files being found on her computer. I must collect digital evidence while keeping the data unaltered, first thing. This data will be used later in the prosecution of the case. This can be done through calculating and recording an evidence file. Next is imaging of the computer media with a write-blocking tool. I must keep the chain of custody. The computer's RAM is examined for evidence. During the examination step, verify and catalog the presence and integrity of the original evidence and any copies. An analysis is made with specialized equipment to find out exactly what's stored on the digital media. This includes a manual review of all materials found on the media, a review of the Windows registry, techniques to crack passwords and retrieve protected data, keyword searches and extraction of email and pictures for further review.
Although computer forensics is a relatively young field of crime investigation, it has become a useful area of knowledge. Organizations and companies are finding it necessary to recruit computer and network forensics investigators. These experts can detect and report various computer crimes. The reports of their findings can be used to provide useful evidence in court. This paper discusses various aspects of computer forensics. It is based on a scenario involving a computer, which is suspected to contain evidence on child pornography.
Computers are common tools used by the culprits behind white-collar crimes. In order to find “culprits,” the forensic accountant will need to be able to dig deep into the company’s computer system. However, without the proper equipment, that process can prove to be very difficult. To facilitate the preservation, collection, analysis, and documentation of evidence, forensic accountants can use specialized software and computer hardware.
It is very important that the data is not altered. Once all the data is retrieved and examined from the computer, the next step is to analyze it. This step is crucial because the forensics investigator can find out when the inappropriate files were transferred or install into the computer and if they have been modified. The analysis is done with specialized tools to review all of the data, protected data, windows registry and email. After the analysis process is completed the forensics investigator will then create a report describing all the steps that he did to find the evidence. The report will be given to the main investigator of the
The OS provides digital forensic investigators with the primary application where the files, folders, and logs of every event that has occurred involving the suspect’s information system can be located. Furthermore, this information can be utilized by the investigator’s to understand how incidents like network intrusion, malware installation, and insider file deletions have occurred. As a result, OS’s is the location where relevant information on incidents or unlawful activities can be discovered with the proper collection and examination
Digital forensics has been responsible for putting away thousands and thousands of criminals. Ranging from simple crime computer crimes to child pornography. To get quality evidence that can be admissible in court there are steps that are needed in preparing a computer investigation. There are also requirements for data recovery, as well as procedures for corporate investigations. “Digital forensics has become prevalent because law enforcement recognizes that modern day life includes a variety of digital devices that can be exploited for criminal activity, not just computer systems. While computer forensics tends to focus on specific methods for extracting evidence from a particular platform, digital forensics must be modeled such that it can encompass all types of digital devices, including future digital technologies” (Reith, Carr, and Gunsch, 2002).
Having digital forensic capabilities is very important in this era we are in. At our company, we have an in house forensics team that consists of a senior forensic investigator, project manager, computer forensic examiner, legal counsel, IT specialist, and three lab assistants.
This manual is to assist forensic technicians who may be responsible for preserving electronic crime scene and recognizing, collecting, preserving, and storing digital evidence. When dealing with digital evidence, these principles apply: The process of collecting, securing, and transporting digital evidence should not change the evidence in anyway. Only trained forensic technicians specifically for digital evidence should conduct the analysis. Everything done during the search, seizure, transportation and the storage of the digital evidence should be documented, preserved and ready for review.
Dissect document frameworks and memory pictures to figure out whether any bizarre records, forms or suspicious system associations exist.
The members of the team can make use of forensic techniques which can include reviewing system logs, looking for gaps in the logs, reviewing intrusion detection logs and, last but not the least, interviewing the eye witnesses and the victim of the incident to find out how the incident took place. Only authorized individual must be performing interviews or must be examining the evidence and the authorized individual may differ according to the situations and the organization related to
Once these steps are properly completed it is the job of the computer forensics analyst to piece together a report on the findings. All of the evidence needs to be carefully phrased and should only contain key issues that are relevant to that specific situation. The goal here is to put together everything that pertains to that case and will have the highest chance of
Dedicated system forensics specialists have trained intensively in investigating digital incidents to determine magnitude of the situation. Since digital crimes are committed on devices over multiple computing platforms, it is essential for forensic specialist to have a broad knowledge on which tools and techniques yield best results. The information collected from devices may serve as useful evidence in a legal matter; you never want the gathering of data to be an issue during the trial proceedings. Dedicated system forensic specialists understand the advantage in preparing a chain of custody report; it documents who oversaw data recovery or imaging, when & where collection took place and how & who stored data, which all add evidentiary value to findings. Individuals not skilled in the digital investigative process may inadvertently contaminate, overlook or destroy evidences, or simply forget to document the collection process. The smallest omission & fallacy in evidence collection or documentation can cause finds to