Digital Investigation Steps and Policies

9258 words (37 pages) Assignment in Assignments

06/06/19 Assignments Reference this

Disclaimer: This work has been submitted by a student. This is not an example of the work produced by our Assignment Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.

Question 1

As a forensic expert, you receive a phone call from the CEO detailing his situation. What advice would you give the CEO on the call at this point?

  1. Case Documentation

Case documentation begins when the Client initiates contact with the Forensic Investigator, even if an investigator or agency chooses not to accept a case it may later become necessary to explain why the case did not progress. Any information recorded during the case is discoverable. To be discoverable means that opposing counsel has the right to examine and analyse data collected during the process. If an investigator takes written notes or uses a digital voice recorder to make verbal observations, copies of the notes and audio files must be made available

Open a Case file (Appendix II), record the name and contact information for the organisation. Each Communication during the investigation must be recorded. The following items should be recorded

  • What is the name and contact information for the organisation involved in the incident? Record every individual contacted during the investigation, that person’s role in the process, and when, where, and how he or she was contacted.
  • When was the investigator notified? Dates and time.
  • A description of the incident, both in technical terms and in lay terms.
  • When was the incident discovered?
  • Who discovered the incident?
  • To whom was the incident reported?
  • What systems, information, or resources were impacted by the event? This includes hardware, organisational entities,
  • Is there any preliminary information that suggests how the offending actions were accomplished?
  • What is the impact of the incident on the individual or organization affected? This includes financial impact, impact on the systems involved, and any effect it may have had on the health or mental welfare of individuals involved.
  • What actions were taken between discovery of the incident and reporting it to authorities? This means everything that was done, including simple files searches.
  • Who are the stakeholders as they are identified?

 

 

 

1.1.           Introduction

During our opening conversation with the potential client we would address 3  important issues in relation to a Digital Investigation

  1. In most circumstance evidence can be recovered  – reassure the client that digital activity leaves footprints and that it is highly lightly that an investigation will recover evidence from which actions and intentions can be inferred and relied upon which will support the suspicion of theft.
  2. The two most immediate critical considerations for the organisation are –
    • Certainty that there can be no further breech of information e.g. all access to company data by the two suspects has been disabled.
  • Imperative that any sources of potential evidence are secured so as to preserve in a forensically sound manner. Digital evidence is often highly volatile and can potentially be easily compromised by poor handling. Successful recovery of evidence, which can be relied upon, depends heavily on the immediate actions in relation to the sources of evidence. The entire scope of evidence need to be secured and protected to maintain integrity workstations, hard drives, network logs, network backups, CCTV video, physical access logs, and cell phones. In dealing with the evidence there should be minimal handling.
  1. The evidence must be collected by trained personnel, a digital Forensic Investigator will take, where possible, an exact reproduction of the evidence and authenticate. Even minor attempts to recover information by untrained personnel may overwrite or destroy evidence. The earlier a forensic image can be taken of the computer, the more success in obtaining evidence.

1.2.           Incident Scope and Impact

  1. Get Client to Outline the incident, what system is the customer list kept on i.e. is the data on a file on the server or is this data also on a CRM\ERP systems
  2. What are the Data Governance policy, have we details on Customer Data artefacts in the organisation
  3. Ascertain if the organisation has an established Incident Response Team, if not then we would ascertain what has been established in relation to the incident; How\When and whom first detected the incident, build a timeline of events and list individuals involved
  4. Establish what actions have taken place since detection and explain that as Mr Lopez had used Mr Wayne’s desktop that some evidence may inadvertently have been changed due to these actions. Has re-used any of the devices belonging to the suspects, have these devices been restored to factory reset or has media or backups been wiped.  If this is the case it is exceptionally unlikely data can be recovered from these sources.
  5. Explain that it is possible to use specialist tools which can take a mirror image of the data on the phones and desktops which we can then examine for evidence.
  6. Have personnel from IT\HR\Security been involved in the investigation (unless there is suspicion of collusion).  Have employment contracts been reviewed, has company policy in relation to access to personal mobile phone data been clarified. Fortunately, it was established that it was company policy that in exchange for the employer paying for the monthly mobile SIM plan on employee’s personal plan each employee had signed an acknowledgement and waiver of privacy rights. What was the findings of their evaluations
  7. What steps were taken to contain and mitigate the incident? (This includes, but is not limited to, retaining suspect computers, changing passwords, turning off remote access, acquiring log files, disconnecting infected systems from network, disabling employee access)
  8.  What tools were deployed or system commands executed within the affected environment and on affected systems as part of the initial investigation? Is there supporting documentation?
  9. What logs were reviewed? If reviewed, what were the suspicious entries? What other unusual event or state information exists?
  10.            Has the company contacted their legal representatives, If the event caused substantial financial impact management may want to consider reporting the incident to law enforcement agencies.
  11.            We would discuss the fact that due to the nature of the data stolen, the suspects could potentially have taken this information via desktop, mobile, email, cloud accounts and unauthorized access to the server(s)/other workstations so the Investigation will include the following elements

This investigation would include the following elemnts

  • Computer devices and peripherals (Computer Forensics)
  • IT systems (Network Forensics)
  • Mobile and social networks (Mobile Forensics)
  1.            Consideration must be given to the fact that individuals engaging in this type of activity may have employed sophisticated methods to masquerade their activities such as encryption, steganography, anonymous email accounts or spoofed IP\MAC addresses
  2. What are the company’s obligations in relation to Data breeches, if the organisation has Data breech reporting obligations have these been met ?.
  3. Understand the Individual suspect employee system details (what type of network and application access had the employees and confirm that all access has been disabled)
  4. We would need to establish a preliminary understanding of what action the client is lightly to want to pursue if evidence of wrong doing can be proved e.g. seeks  an injunction restraining the former employees from using the confidential information
  5. Has the company spoken to any customers, if so what information have these customers given the client. How likely would it be that the customers would be agreeable to be interviewed as part of the investigation
  6. How do the company plan to respond publicly to their customers
  7. We would email details of the types of evidence which can be established under an investigation – outlined in Appendix I.
  8. We would recommend that Management should
    • Nominate an incident Point of Contact (POC) with appropriate skills, knowledge and desecration for the investigation
    • We will provide an Incident Response Template (See Appendix IV) – The POC should complete a summary of known incident facts and information, along with a basic timeline of incident events, personnel with knowledge of the event and a description of what information they possess.
      •  How as the Breech detected
      •  Type of Intellectual Property
      •  What system(s) the Data is located on
      •  Has the system been secured
      •  Is this Data used by any Trusted Parties

This summary should also consider whether the full scope has been established, could other parties be involved and could this information be used by parties other than the two suspects.

  • The POC should prepare a contact list of those who possess information relevant to the investigation (Appendix III). This person and the summary would form the basis of the PID (Preliminary Investigation Discussion) should the client decide to progress with an Investigation.
  1.         Format of a Forensic Investigation

We outlined the stages to a Forensic Investigation

  1. Preliminary Investigation Discussion (PID)
  • The Forensic Investigator collates their version of the incident based on the information received to date and arranges a PID meeting on site
  • Meet the POC\Management and additional personnel to review the information which the client has gathered on the incident.
  • Investigator outlines the understanding of the facts with the POC and completes an analysis report. Management and the Forensics Team should verify enough information about the incident so that the actual response will be appropriate to determine the extent of the Investigation
  • Forensic Team and Management will agree the scope and desired outcomes of the investigation, the requirements for the investigation may expand if additional information is established.
  • During the PID the type of legal investigation is decided upon (non-liturgical, liturgical or criminal) and type of activity to investigate.
  • The investigator would provide an initial estimate of the amount of resources (time, equipment, personnel and cost) to complete the investigation. Depending upon the estimated cost and type of legal investigation, management may decide to not pursue the investigation
  • If Management decide to proceed with an Investigation the Forensics Team with meet with HR and IT (and Legal if required)
  1. The Forensics Consultant will secure and acquire any relevant digital evidence associated with potential or actual Information in a standard, best practices based forensically sound methodology using recognised digital forensics toolsets to preserve all relevant evidence in accordance with ACPO guidelines
  2. Evidence Acquisition and Analysis – Investigate acquired evidence to determine, the “if, what, when, how and whom” of the Information Security incident. All processes applied to evidence use industry standard tools
  3. Provide digital forensic reports with objective conclusions, supported by the evidence acquired and investigated
  4. Work with your legal, financial or criminal advisors in providing digital forensics expertise, evidence and objective expert conclusions.
  5. Provide expert witness testimony where appropriate.
  6. Provide mitigation advise and solutions to help prevent further Information Security issues arising in the future
    1.         Rules of Evidence

We outlined the rules of evidence as follows:

  • Admissible – the evidence must be able to be used in court.
  • Authentic –  ability to prove evidence relates to the incident
  • Complete – Consider and Evaluate all information available e.g. how without doubt that the employee was responsible for copying files and that it could not have been another employee using the login credentials, this is called Exculpatory.
  • Reliable – Evidence gathering and an analysis procedures must support authenticity
  • Clarity – Evidence should be clear and easy to understand
  • Identifying – What evidence is present, where and how it is stored, and which operating system is being used. From this information the Investigator identifies appropriate recovery methodologies, and tools which will be required.
  • Preserving – This is the process of preserving the integrity of the digital evidence, ensuring the chain of custody is not broken.
  • Documentation – All steps taken to capture the data must be documented. Any changes to the evidence must also be documented, including what the change was and the reason for the change.
  1.         Principles of Digital Evidence

Best Practice principals which apply to a Forensic Investigation

  • Principle 1: No action taken in obtaining the evidence should change data held on a computer or storage media which may subsequently be relied upon in court.
  • Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
  • Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
  • Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to

 

  1.         General advice in relation to current Data and IT Security issues

It is vital that some basic system security arrangements are immediately put into place

  • Restrict access to the server cabinet
  • Consider moving the server to a secure location that is fire proof
  • Put restrictions on desktops on removable media
  • Firewall should restrict Internet Access to certain sites e.g. cloud based storage sites
  • Data is an Asset. Management has a responsibility to ensure that the organisations Data Governance policies and implementation is robust to ensure s security and policies assess and manage risk and deter data threats.

APPENDIX I

Nature of Investigation and types of Evidence likely to be secured

During the Data collection phase the Investigation team will collect Computer\Network and Mobile evidence which may be located in Emails, Files on the network, System logs, Configuration files and Internet activity logs. The challenge of data acquisition is often the volume of imaged data and the investigations of multiuser environments (servers with multiple user settings/data).

The investigation team will examine

  • Files and folders in good standing
  • Deleted but recoverable files
  • Deleted but partially overwritten files
  • References to files that are no longer there
  • Logs, Internet Histories, Cookies, configuration settings, etc..

Examples of what potential might be retrieved would include the following

  •    File Carving – Recover Deleted documents and fragments of documents
    • Email analysis – Webmail traces on hard drive, deleted mails
    • Document analysis – Timestamps, Metadata Information, MD5 Hashing
  •    Key word searches run across a device
  •    Password cracking
    • Internet usage – Evidence of Internet history, sites visited, user search terms – both active or deleted
  • Analyse file fragments in unallocated space or file slack
  • Analyse data by using date-ranges
  • File type searches
  • Printing docs, Log-in logs to Networks, Internet histories, Application Traces, Accessing Documents, Link files,
    • Deleted Data – whether data has been deleted and information about that deleted data, including in certain cases the deleted data itself;
    • Information about USB connectivity (in other words whether or not memory sticks have been inserted into a device, which can indicate if files of relevance were copied to them), identify the make, model and serial number of the removable storage device, when it was first connected and the last time it was used.
  • Installation and or use of unauthorised applications or software
  • Web based chat messenger and email communications i.e. Hotmail/Gmail and whether these have been used to send emails of potential relevance
  • Web based storage applications (Dropbox) – whether data has been sent to these locations and information about when, what etc
  • File recovery and its metadata – were the files opened on an external device?
  • Mobile devices – files which can be recovered include all voicemails that were ever left on the phone, all emails ever sent or received, and data users often believe is deleted but can be recovered – including text messages, contacts, call logs and pictures.  The blending of modern smart phones with GPS technology can also pinpoint a departing employee’s location at a particular date and time.

APPENDIX II

Cyber Security Incident Report        

Reported By: Phone No.
Email: Date Reported:
Agency Device Type:
Name of Individual Affected: Location/Address of Problem:
User Description of Problem:  
 
Electronic

  • User Compromise

    Compromised/Stolen/Altered Data

    Theft and use of Others ID’s

    Personal Identifying Information (PII)

    Other

If Other Please Explain:

  • Physical

   Unauthorized Access

   Access Control Avoidance

   Equipment Stolen or Damaged

   Other

If Other Please Explain:

  • Misuse of Resources

   Unauthorized Use of Remote Control

   Unauthorized Use of Software

   Inappropriate Use of Email

   Inappropriate Use of State Resources

   Inappropriate Use of Internet

   Unauthorized Solicitation

   Illegal Log-in Attempt

   Hoaxes

   Storage and/or Distribution of illegal Software

   Other

If Other Please Explain:

    • Malicious Code Activity

   Virus Scan Engine Version _____________

   DAT Version _____________

   Date of Last Virus Scan ___________

   EPO Agent Installed

   Spam

   Other

If Other Please Explain:

 An Alert was sent to:

   Administrative & Program Support Branch

User description of problem

Incident Type

Investigated by: Evidence Collected  (choose)    YES       NO                 
Number of Intruders: Number of Hosts:
Incident Source: Analysis of Findings:
Recommended Action:
Additional Comments:

APPENDIX III

 

INTELLECTUAL PROPERTY INCIDENT HANDLING FORMS PAGE __ OF __

 

CASE REF: _____________

 

INCIDENT CONTACT LIST DATE :_____________

Intellectual Property (IP) Owner Contacts

Corporate Officer:                                                      Corporate Incident Handling, CPO:            Name:___ _________________       Name:________________________________

Title: __________________________________ Title: _________________________________ Phone:___________  Alt. Phone: ____________ Phone:____________ Alt. Phone: __________

Mobile: __________ Pager:_______________    Mobile: ______________ Pager:___________ Fax:_________________ Alt. Fax:___________   Fax:______________ Alt. Fax:_____________         E-mail: ________________________________   E-mail: ________________________________ Address: _______________________________  Address: ______________________________

CIO or Information Systems Security Manager:   Corporate HR Officer:

Name:___Mr Lopez____________________       Name:________________________________

Title: __________________________________ Title: _________________________________ Phone:___________  Alt. Phone: ____________ Phone:____________ Alt. Phone: __________

Mobile: __________ Pager:_______________    Mobile: ______________ Pager:___________ Fax:_________________ Alt. Fax:___________   Fax:______________ Alt. Fax:_____________         E-mail: ________________________________   E-mail: ________________________________ Address: _______________________________  Address: ______________________________

 

 

APPENDIX III

INCIDENT REPORT

1. Contact Information
Full name:
Job title:
Division or office:
Work phone:
Mobile phone:
E-mail address:
Additional Contact Information:
2.  Type of Incident (Insert X on all that apply)
Account Compromise (e.g., Lost Password)
Denial-of-Service (Including Distributed)
Malicious Code (e.g., Virus, Worm, Trojan)
Misuse of Systems (e.g., Acceptable Use)
Reconnaissance (e.g., Scanning, Probing)
Social Engineering (e.g., Phishing, Scams)
Technical Vulnerability (e.g., 0-day Attacks)
Theft/Loss of Equipment or Media
Unauthorized Access (e.g., Systems, Devices)
Description of Incident:
3. Scope of Incident (Insert X on all that apply)
Critical (e.g., Affects State-Wide Information Resources)
High (e.g., Affects Agency Entire Network or Critical Business or Mission Systems)
Medium (e.g., Affects Agency Network Infrastructure, Servers, or Admin Accounts)
Low (e.g., Affects Agency Workstations or User Accounts Only)
Unknown/Other (Please Describe Below)
Estimated Quantity of Systems Affected:
Estimated Quantity of Users Affected:
Third Parties Involved or Affected:

(e.g., Vendors, Contractors, Partners)

Additional Scope Information:
4. Impact of Incident (Insert X on all that apply)
Loss of Access to Services
Loss of Productivity
Loss of Reputation
Loss of Revenue
Propagation to Other Networks
Unauthorized Disclosure of Information
Unauthorized Modification of Information
Unknown/Other (Please describe below)
Estimated Total Cost Incurred:

(e.g., Cost to Contain Incident, Restore Systems, Notify Data Owners)

Additional Impact Information:
5. Sensitivity of Affected Data/Information (Insert X on all that apply)
Critical Information
Non-Critical Information
Publicly Available Information
Financial Information
Personally Identifiable Information (PII)
Intellectual/Copyrighted Information
Critical Infrastructure/Key Resources
Unknown/Other (Please Describe Below)
Data Encrypted?
Quantity of Information Affected:

(e.g., File Sizes, Number of Records)

Additional Affected Data Information:
6. Systems Affected by Incident (Provide as much detail as possible)
Attack Sources (e.g., IP Address, Port):
Attack Destinations (e.g., IP address, Port):
IP Addresses of Affected Systems:
Domain Names of Affected Systems:
Primary Functions of Affected Systems:

(e.g., Web Server, Domain Controller)

Operating Systems of Affected Systems:

(e.g., Version, Service Pack, Configuration)

Patch Level of Affected Systems:

(e.g., Latest Patches Loaded, Hotfixes)

Security Software Loaded on Affected Systems:

(e.g., Anti-Virus, Anti-Spyware, Firewall, Versions, Date of Latest Definitions)

Physical Location of Affected Systems:

(e.g., State, City, Building, Room, Desk)

Additional System Details:
7. Users Affected by Incident (Provide as much detail as possible)
Names and Job Titles of Affected Users:
System Access Levels or Rights of Affected Users: (e.g., regular User, Domain Administrator, Root)
Additional User Details:
8. Timeline of Incident (Provide as much detail as possible)
a. Date and Time When Agency First Detected, Discovered, or Was Notified About the Incident:
b. Date and Time When the Actual Incident Occurred:

(Estimate If Exact Date and Time Unknown)

c. Date and Time When The Incident Was Contained or When All Affected Systems or Functions Were Restored:

(Use Latest Date and Time)

Elapsed Time Between the Incident and Discovery:

(e.g., Difference Between a. and b. Above)

Elapsed Time Between the Discovery and Restoration:

(e.g., Difference Between a. and c.  Above)

Detailed Incident Timeline:
9. Remediation of Incident (Provide as much detail as possible)
Actions Taken To Identify Affected Resources:
Actions Taken to Remediate Incident:
Actions Planned to Prevent Similar Incidents:
Additional Remediation Details:

Question 2

You are expected to attend an interview with CEO, a HR representative and a member of the Karsean Technologies IT Department. Detail what questions you would ask the CEO, HR and IT Department staff

Outlined below are the issues which should be covered as part of the Preliminary Investigation Discussion (PID).  This is the first stage of incident handling procedures, which must be applied before handling any investigation, the purpose of this stage is to determine whether the Client organisation operation and infrastructure can support the investigation. Preparation phase is divided into Pre-preparation, Case evaluation, Preparation of detailed design for the case, Preparation of investigation plan and Determination of required resources.

The Forensic Investigation team will outline the information which they establish during the initial contact with the CEO, this will be supplemented by the Information completed on the Incident Report by the POC. The PID will establish known information of an incident. The investigator will normally conduct interviews with Management\IT and HR. Information obtained during these interviews will establish the basic reference points of the investigation.

The PID will specifically determine the following general issues which will be documentation as part of the Incident Response Questionnaire

Client expectations from the investigation – clients can have misconceptions of what information can accurately be determined. The investigator must insure that the client’s expectations are realistic within the established resource framework and timeframe.

Other illegal activities which may be uncovered – Management should be mindful of the fact that what begins as a collection of evidence for violation of administrative policy, the case may escalate into collection of evidence for more serious issues that are subject to civil and/or criminal penalties.

Limits to the investigator’s authority – The investigator should insure that the client has a clear understanding of the type of investigation, activity covered under the investigation and limits of the Investigator’s authority.

Determine legal restrictions – what is the legal position of the company in relation to the employees who have left the company. Has the client contacted their appropriate legal counsel concerning the event and informed counsel of the desire to conduct a forensic investigation.

We would use the Questionnaire below to establish key details

Incident Response Questionnaire

Information gathering with the Management Team –

Complete Appendix I – INTELLECTUAL PROPERTY INCIDENT HANDLING FORM

Complete Appendix II – INCIDENT CONTAINMENT FORM

  • Review of Incident Response Template completed by Point of Contact – See Appendix IV from Question 1
  • Who within the organisation is aware of the incident
  • What process(es) did the user perform in order to get IP Data out of the building?
  • Has the Financial impact been assessed
  • Did Mr Lopez take Mr Wayne’s\Mr Woodson’s building access key on departure
  • What system (s) holds the Customer masterdata and Renewal information or was the detail held on a file and if so what format.
  • Has the organisation insurance cover for Cyber Risk
  • Does the breech pose any risk to other organisations
  • What type of phones did the employees have
  • Was there a BYOD policy for laptop use in conjunction with the Desktop
  • We need to established whether the employees have used (a) cloud based email accounts (s)?
  • What level of IT skills would the suspects have?
  • Did the employees use a cloud based file-storage account ?
  • Did the employees perform file transfers to a home computer via remote access ?
  • Did the employees use a USB Flash Drive
  • Did the suspect perform mass deletions
  • Did the person use a wiping program to cover their tracks
  • Establish whether Management has concerns the other employees may be working with or have continued links with the former employees

 

Questions for IT Personnel

Server\Applications\Logs\Email\User Accounts\Physical Hardware

  • Where are the affected IT infrastructure components physically located?, Where is the Network Server located, what type of file servers are in use? Is there Guest and remote access?
  • What logs currently exist for the IT infrastructure? Have we got the back-up logs, Are logs backed up or overwritten? If so, what frequency?
  • We need logs prior to Mr Wayne’s departure plus logs for the period between Mr Wayne’s and Mr Woodson left the company to view Mr Woodson’s activity.
  • Is there a diagram or illustration of the affected network’s topology and system architecture? Is there supporting documentation?
  • Is any of the organization’s IT infrastructure hosted by third-parties?
  • What IT infrastructure components (servers, websites, networks, etc.) are directly affected by the incident?
  • What applications and data processes are suspected to have been used for the theft
  • Has IT prepared an analysis of network\application activity which they can supply to the team. What commands or tools were executed on the affected systems
  • Review of all logging – Network\Firewal\Routers logz and Wireless Access Points\ File Servers (e.g. internal access of data)\Backups\Remote access to network\ Internet Access\Database log\Web proxies logs\ Printers logs)
  • If logs were reviewed, what suspicious entries were found?
  • Look at network configuration details and connections; note anomalous settings, sessions or ports.
  • What are the network restrictions for employee-users and other parties who had access?
  • Task IT with identifying names/ details concerning: o Internet or hosted service providers o Internal IP ranges and external facing IP ranges o Naming conventions for organization’s networked computers/ servers
  • What e-mail systems and application are used by organization? What is the configuration? What is the security policy for email? Is there remote access? (This includes attachments scanned, dumpster set for deleted email recovery, and archived retention of all email.)
  • What are password policies/ employee account audits? IT/ HR should begin compiling documentation showing organisation’s password policies..
  • Wireless Access Point Security type including authentication, encryption, etc.?
  • Confirm that ALL infrastructure access been disabled for both employees
  • Did any of the employees have Administrator rights on their desktops
  • Look at the list of users for accounts, anything unusual noted\ should have been disabled.
  • Is there an IT asset inventory report for all infrastructure components related to the incident e.g. Mobile phones\desktops\Access to a company laptop? (If none in use, is there a current inventory of IT assets related to the incident? The report should contain hard and software information such as MAC Address and OS, network identification information such as host name and network address, and other system details.)

Physical Logs

  •         Automated building entry/ exit systems ii. Sign-in sheets iii. Video surveillance iv. Lists of key assignments or room access to servers or IT equipment

Questions for HR

HR representative should be present at the PID to order to establish and discuss the organisations Acceptable Use Policies (AUPs), corporate monitoring policies and restrictive covenants associated with employment contract arrangements with both employees. We had previously established that the employer is entitled to seek phone records as the employees has waved their rights when then agreed to allow the employer to pay for their SIM plan

AUP

  •  employee privacy issues
  •  employee use of company assets
  •  employee conduct at work
  •  company policies concerning the event or incident as appropriate – access to mobile phone records
  • Access, if any, an employee has to the data storage areas of the network, as well as rules pertaining to removing it from the network
  • AUPs which addresses the deletion/destruction of files
  • Connection of external devices to the computer. Are employees allowed to use their USB thumb drives on any computer in the network? USB drives with malicious programming that will open a back door into the network.
  • changes or modification on their computer

Employee duties on restrictions on competition – were either employee a director

All employees are under a duty of good faith to their employer, we would ask HR about the terms of the employee contracts in relation to restrictions.

  • Does the contract have a clause covering preparation to compete i,e, during employment the employee must not set up in competition with his employer as there is evidence in this case that both employees are in breech
  • restrictions on other business activities, whether within or outside working hours
  • restraints on the use and disclosure of confidential information
  • duties akin to fiduciary duties, to act always in the best interests of the employer and incorporating expressly the statutory duties on directors imposed by the
  • confidential information which comes to his knowledge during the course of his employment trade secrets will be protected by the equitable duty of confidence.
  • The duty of confidentiality survives the end of employment in relation to trade secrets.
  • No conflict rule -A fiduciary employee must avoid any conflict between the duties owed to the employer and his own interests.
  • The disclosure rule – A fiduciary employee must disclose his own wrongdoing, as well as matters which are of wider interest to his employer.

 

Questions for Legal advisors

The company’s legal representative should present any concerns and recommendations during the PID, what legal options the company might pursue and whether any warrants are required to access material, breech of contract etc

Based on the answers to the questions above the Investigator will be able to provide an initial estimate of the amount of resources (time, equipment, personnel and cost) to complete the investigation e.g. amount of evidence which must be collected, acquired\analysised and the type of report which Management expect on completion.

If Management decide to progress with the Investigation we would need to agree the following

Investigation procedures

  • When the investigation should commence
  • Who is authorised to make business decisions regarding the investigation
  • What mechanisms will the Investigation team use to communicate when handling the incident? (e.g., email, phone conference, etc.) What encryption capabilities should be used?
  • What is the schedule of progress updates? Who is responsible for them?
  • Agree personnel who will conduct “in the field” examination of the affected IT infrastructure? Note their name, title, phone (mobile and office), and email details.
  • Agree who will interface with legal, executive, public relations, and other relevant internal teams?
  • Escalation procedures – Agree procedures on how to escalate or notify the client of operational problems involving the investigation or if additional resources are required
  • What tools are available to our investigator to assess network and/ or hostbased activity

Collection of Evidence

Outline the specific procedures which must be followed in relation to the Collection of Evidence

  • Providing chain-of-custody documentation – It is essential that any items of evidence can be traced from the crime scene to the courtroom, and everywhere in between. The Investigator must be able to prove that a particular piece of evidence was at a particular place, at a particular time and in a particular condition. This applies to the physical hardware as well as the information being retrieved from that hardware. If the chain of custody is broken, the forensic investigation may be fatally compromised.
  • Labelling and Documenting the evidence
  • Transporting the evidence
  • The Forensic Team will begin the take of imaging the desktops and mobile phones for evidence

APPENDIX I

INTELLECTUAL PROPERTY INCIDENT HANDLING FORMS

 

CASE REF:

 

INCIDENT IDENTIFICATION DATE UPDATED:_____________

 

General Information

Incident Detector’s Information:

Name:__________________Date and Time Detected: ______________________

Phone:______lt. Phone: _____

Location Incident Detected From: ___________________________________

Additional Information:___________________________

E-mail: ______________________________________ _____________________________________________

Address: _____________________________________ _____________________________________________

_____________________________________________ _____________________________________________

Detector’s Signature:________________ Date Signed: ______________________

Intellectual Property Profile Summary

Type of Intellectual Property (IP) Detected: __________________

Total Number of IP Items Detected: __________________

• Document(s) • Audio • Application(s)• Image(s) • Video

Additional Information:_____________________________

Other:______________________________________ _______________________________________________

Root Location of IP Items (URL, etc) on Detected System:_____________________

___________________________________________________________________

How was the Intellectual Property Detected:

__________________________________________________________________

________________________________________________________________

___________________________________________________________________

___________________________________________________________________

__________________________________________________________________

___________________________________________________________________

APPENDIX II

INTELLECTUAL PROPERTY INCIDENT HANDLING FORMS PAGE __ OF __

 

CASE REF:

INCIDENT CONTAINMENT DATE UPDATED:_____________

 

How were the intellectual property items compromised:

Are the original files accessible from company resources? • YES • NO

If YES, properly document location(s) on the Incident Identification form.

Are the original files secured? • YES • NO If YES, how and where are these files secured: _______________________________________________________

Have the company systems been reviewed for possible authorized or unauthorized access? • YES • NO ______________________________________________________________________________

If YES, where is the location of the report or incident handling forms documenting this access: _________________________________________________________________________________

If NO, what was the reason:___________________________________________________________ ________________________________________________________________________________ Have trusted partner systems been reviewed for possible authorized or unauthorized access? • YES • NO  _____________________________________________________________________________

If YES, where is the location of the report or incident handling forms documenting this access:  _________________________________________________________________________________

If NO, what was the reason:___________________________________________

Question 3

During the interview, the phone and desktop of Mr. Wayne are presented to you for examination. You are expected to take the lead on the investigation, prepare chain of custody, and steer the CEO in the best possible direction to get the best outcome of the investigation. Detail your actions and recommendations. [20 Marks]

  1. Physical Forensics and Investigation Phase of Investigation.

We will explain to Mr Lopez that this part of the Investigation involves the Physical Forensics and Investigation Phase of the Investigation. The goal of this phase is to collect, preserve, analyse the actual physical evidences and reconstruct what happened, this stage is divided into

  • Physical preservation and preliminary survey
  • Evaluate the physical scene,
  • Initial documentation, photographing and narration
  • Search and collection of physical evidence
  1. What Evidence should be collected

We will explain to the Client that the evidence in the case extends beyond the Desktop and the mobile. All artifacts from the workstations for both Employees should be collected, VOIP phones, USB fobs, CDs and IT logs as detailed during the PID meeting. The Investigator will require passwords required to access the system, software, or data. [An individual may have multiple passwords, e.g., BIOS, system login, network or ISP, application files, encryption pass phrase, e-mail, access token, or contact list].

In relation to the workstations we have established that both workstations have been switched off, as the CEO had attempted to look for evidence from Mr Wayne’s workstation so the data on this system will be somewhat compromised.

  1. Chain of Custody Reports

Explain the procedures to the Client in relation to Chain of custody documentation and Forensic Evidence forms. Meticulously documentation is required during a Forensic Investigation, for every physical unit of evidence taken into possession by an investigator there must be a continuously maintained chain of custody report, it is a timeline for evidence. If breaks exist in the timeline, this could indicate an opportunity for the data to be changed or modified.

The Chain of Custody form should answer the following:

  •              What is the evidence?
  •              How did you get it?
  •              When was it collected?
  •              Who has handled it?
  •              Why did that person handle it?
  •              Where has it travelled, and where was it ultimately stored?

The chain of custody form will detail the following

  • Identify the item precisely, listing type of evidence, make, model, and serial number (if relevant),
  • Take a photograph of the item (if possible).
  • Packaging of item
  • Specify when was the item taken into possession.
  • Identify where or from whom the item was seized.
  • Record who acquired the item along with the time and date acquired.
  • Document who transported the item and how was it transported.
  • Document how was the item stored during transport.
  • Regularly record how the item was stored during possession.
  • Provide a continual log, showing the time and date of each time it was checked out for examination, the purpose for checking it out, and the time and date it was checked back in for storage, identifying who had possession of the item during that time.

While an item is in possession of the investigator, any changes should be documented to preserve the integrity of the evidence. Such documentation needs to include a precise identification of the device in possession (and the controls in place to protect the device).  Document what methods were used to prevent data from being inadvertently written to the device (write-blocker devices, software write-protection, etc.). Generate before and after hash values to confirm that the data source did not change while in possession. If it did change, document what process caused the change, along with how and why the change occurred.

The Chain of custody forms will be filled out by the person performing the collection and anyone who takes possession of the evidence. Every time the evidence is exchanged between two people, the chain of custody documentation should be updated to document when the transfer occurred and who was involved. We have detailed in Appendix 1 a sample chain of custody document

  1. Process for collection\packaging and transportation of Evidence
  • Start the search and seizure evidence log to document all devices state – Case identifier, Date, time and, Personnel and condition of evidence. Complete the evidence log with separate IDs for each item of evidence. If possible, have one person serve as evidence custodian
  • Use photographs and sketches to supplement, not substitute for, the narration
  • Select a narrative method – written, audio, or video
  • Do not collect evidence or touch anything during the narration. The narration should include the following:
  • a. Case identifier.
  •  b. Date, time and location.
  •  c. Identity and assignments of personnel.
  •  d. Condition and position of evidence.
  • Prepare a photographic log that records all photographs, description and location of evidence and then include it in the search and seizer log file.
  • Mark the specifications on Evidence
  • All connections and plugs should be labelled and marked for evidence
  • Place labels over all the drive slots and over the power connectors
  • Packaging procedures, ensure that all collected evidence is properly documented, labelled, and inventoried before packaging Avoid folding, bending, or scratching computer media.
  • Ensure that all containers used to hold evidence are properly labelled
  • Each package should have a unique label which will detail the name of the person who packed the Evidence, the contents of package, where the evidence will be packed, from where it was taken, and the time and date of packing
  • Use a secure means of transportation which will preserve the evidence
  • Maintain the chain of custody until received in procession of Investigator in the Lab
  • Appendix II sets out a sample checklist for the process

Appendix I

 

 

 

 

 

Appendix II

MAZINCO
EVIDENCE CHAIN OF CUSTODY TRACKING FORM

 

 

Case Number: ____TARA______________

Forensic Consultant: (Name/ID#)  x17128641___________________

Client: ________Karsean Technology________________________________________

_____________________________________________________________________

Date/Time Seized:_02/03/18_9.30 am___

Location of Evidence: _Unit 23, Park Drive, Ballymount D12_____________________

Description of Evidence
Item # Quantity Description of Item (Model, Serial #, Condition, Marks, Scratches)
1 1 Dell 460  Desk top Seriiel No 123654GHJ
1 1 Kingston fob 8 GB USB Seriiel No TLK56654GHJ
Chain of Custody
Item # Date/Time Released by
(Signature & ID#)
Received by
(Signature & ID#)
Comments/Location
1 02/03/18_9.30 am Received Dell Desktop at Unit 23 Park Drive Ballymount D12
Chain of Custody
Item # Date/Time Serial No Notes  
1 02/03/18_9.31 am

 

MAZINCO
EVIDENCE CHAIN OF CUSTODY TRACKING FORM

 

 

Case Number: ____TARA______________

Forensic Consultant: (Name/ID#)  x17128641___________________

Client: ________Karsean Technology________________________________________

_____________________________________________________________________

Date/Time Seized:_02/03/18_9.30 am___

Location of Evidence: _Unit 23, Park Drive, Ballymount D12_____________________

Description of Evidence
Item # Quantity Description of Item (Model, Serial #, Condition, Marks, Scratches)
1 1 Kingston fob 8 GB USB Seriiel No TLK56654GHJ
Chain of Custody
Item # Date/Time Released by
(Signature & ID#)
Received by
(Signature & ID#)
Comments/Location
1 02/03/18_9.31 am Received Dell Desktop at Unit 23 Park Drive Ballymount D12
Chain of Custody
Item # Date/Time Serial No Notes  
1 02/03/18_9.31 am

 

 

References

Technical Working Group on Biological Evidence Preservation. The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please:

McAfee SECURE sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams Prices from
£124

Undergraduate 2:2 • 1000 words • 7 day delivery

Order now

Delivered on-time or your money back

Rated 4.3 out of 5 by
Reviews.co.uk Logo (45 Reviews)