A Report On A Digital Forensic Investigation Information Technology Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In this era, from large corporate organisations to small size businesses are facing a lot of difficulties when it comes to electronic evidence and information gathering during conflicts and crimes. The Central Capital Holdings Inc (CCH) is a global group of companies, where the organisation has interest in numerous specific sectors in the financial market along with various child organizations established in 12 countries.

Due to the network environment being flat and unrestricted between all CCH child organizations, the employees began to face various types of critical issues, e.g. relating to workstations, servers, firewalls and network segmentations.

A high-ranking employee of one of the child organisation of CCH assumed that someone has compromised his computer, and has contacted the information security department with his concerns.

1.2 Aims

The core aim of this report is to analyse every characteristic and scope of a digital forensic investigation, which would help Central Capital Holdings Inc (CCH) in selecting the finest solution to satisfy their purpose regarding their compromised computer system. This report executes the needs for information security, specifically investigative and forensic department associated in the company. The report also highlights on putting forward few of the finest solution for the company.

1.3 Report Content

This report contains all the relevant information related to digital forensic investigation, also including the suggestions that would help the organisation from security prospects that would fulfilled all their needs and purpose. Firstly, a brief discretion of digital forensic investigation has been discussed along with the reasons for conducting this type of investigation, its methodology and approach. Secondly discussed are the resources and tools used for this type of investigation, along with skills that would be required by investigation team members or officer. Thirdly, outlining the approach in indentifying evidence and acquisition for preparing an investigators review for digital evidence and lastly, outlining the steps that would be taken during the analysis phase, along with a table of contents for the analysis report which includes scope and the supporting materials with references.

2.0 Digital Forensic Investigation

Digital forensic investigation is becoming a key element for many organisations today, according to Carrier (2009) a digital forensic investigation is regarded as a special case of a digital investigation where the procedures and techniques bringing used would permit the results to be entered into a court of law whereas Peterson & Shenoi (2009) states that digital forensic investigation involves the application of a series of processes on digital evidence such as identification, preservation, analysis and presentation.

Reasons for Conducting Digital forensic investigation

According to Jones & Valli (2009) some of the common reasons for conducting a digital forensic investigation are criminal investigations, civil litigation investigation and data recovery. Digital forensic investigation is conducting of an investigation, after a misuse or issues relating to information technology.

CCH's highly ranked employee assumes his computer has been compromised.

The employee notices that the computer had become very slow when logging on.

Errors were popping up during bank transfers.

Emails with transfer details were found in the inbox stating message could not be delivered.

These are some of the concerns which lead to the organization to arrange an investigator which is regarded as request for service, the initial step of a digital forensic methodology/investigation to find out whether the company's computers have been compromised and if yes then what is the data/information were compromised.

2.2 Digital Forensic Methodologies

The digital forensic methodologies are an important step which needs to be followed by investigators as it focuses or fulfils the requirements for computer investigations relating to cyber crimes. Cardwell, Reyes & Wiles (2007) state, a digital forensic methodologies consist of identification, collection, organisation and presentation of huge amount of digital information.

2.3 Phases of Digital Forensic Investigation

To get a clear picture on how the investigators conduct data collection and digital evidences through digital devices below are some producers which could be used according to Wiles (2007). Digital forensic investigations have five phases which are follows:

Request for services: In this service organization's human resource department, legal department and many other departments send request for digital forensic investigation and the request can send by phone, e-mail and instant messages.

Initial analysis phase: This initial phase helps to know about the number of digital forensic investigator and what kind of hardware and software are being used during the analysis phase. Three stages fall below this phase:

Documentation: focuses on the description of data which has been collected during the digital forensic investigation because this documentation illustrates about the evidences from suspect's computer in front of the jury.

Planning: a very essential phase during digital investigation because investigator needs planning and collaboration with victim's departments.

Identification: differentiates computer systems such as: desktops, laptops and servers. It helps to set up first baseline on storage capacity for team.

Data Collection Phase: This phase focuses on how data/information could be collected from digital forensic resources. This phase includes documentation, date/time, imaging protocol, desktop/laptop collection and mobile device collection.

Data Analysis Phase: Illustrates how gathered data can be processed. A detail check list and methods will be described for assisting the team for data analysis. Some guidelines and protocols will be provided to the investigator to make the data analysis easily. Guidelines and protocol will be helpful for hash analysis search, keyword search and file signature search.

Data Reporting Phase: This phase would describe about the observed, analysed and documented facts that are stored in the investigation report. This report may have executive summary, analysis summary and final summary.

The CCH investigator had been sent to attain further and more in-depth detail from the victim. Initial Analysis and the process used in acquiring this information are via interview. Everything has been documented by investigator, so it would be easier to assess and decide whether to begin a digital forensic investigation or not.

3.0 Resources & Tools for Digital Forensic Investigation

Digital forensic investigation is necessary whenever an organization has some uncertainty about loss of data and information, in order to rectify the issue; organizations need to have proper resources and tools which may be beneficial to systematize the problem. When conducting a digital forensic investigation the two major components are being looked at are hardware and software. These are some of the commonly used tools and resources during an investigation (Nelson, Phillips & Steuart, 2010).

Evidence Bags-Used to secure and catalogue the evidence, e.g. of this type of bags are Antistatic bags and antistatic pads.

Evidence Container - also known as evidence lockers, used to put evidences for security where these containers must be protected from unauthorised access. These containers should be placed in restricted area and should be locked if not been used.

Evidence Custody forms- help in documenting on what has been done with original evidence and forensic copies. Two types of form:

Single evidence form

Multi-evidence form

Computer Forensic Workstations- contains specifically configured pc, installed with forensic softwares and bays to push the case forward easily.

3.1 Tools

More advance forensic tools give support for versatility, flexibility and robustness for technical support, where the main purpose of tools is to give support the applications such as operating system, file system, automated features and vendor's reputation and at the time of searching the tools investigator must know that what file is being analysed (Carrier & Grand 2004).

3.1.1 Types of computer forensic tools

According to Carrier & Grand (2004), an investigation team may use two kinds of tools, hardware and software tools:

Hardware Forensic Tools- These forensic tools are required to prepare computer systems and networks that may be in single and simple purpose modules, there may be much kind of components such as ACARD AEC-7720WP Ultra Wide SCSI-to-IDE. Furthermore, PCI bus, RS232 UART, Digital intelligence F.R.E.D systems and Forensic Examination Stations are examples of hardware forensic tools and all these tools are portable.

Software Forensic Tools- Command line and GUI applications are two categories of software forensic tools. Many of these tools are capable and designed to do one or more jobs. Guidance Software Encase, X-Ways Forensics, EE software tools, DFTT, CFTT and AccessData FTK tools can do many functions related to digital investigation. The actual tasks of these tools are to get suspected data from the victim's computer system. FTK and Prodiscovers are investigation tools to attain information from suspect's drives (Beckett, Guo & Slay 2009).

3.3 Skills of an Investigation Team or Officer

According to Vacca (2005), a investigator should have a good knowledge, skills, along with binging familiar with more than one computing resources such as DOS Windows 9x, Linux and Macintosh, and be able to provide standard services, on-site services, emergency services, priority services and weekend services.

Forensic experts should be able to work until or unless any suspected proof is found.

Investigator should have the ability to take a trip to the location to execute the entire computer evidence services.

Experts must be able to create spare copy of data storage media and must assist federal marshals seize computer data, and must have knowledge of federal guidelines for investigate something on computers.

Investigators must be able to present the case in top priority in labs if the computer storage media is collected.

If the case is critical the investigators should not have any problem to work on Saturday and Sunday as well.

The CHH information security, investigation and forensic department are based in Melbourne; whereas the affected employee is based in Sydney. An investigation officer had been sent to the actual site to assess or to gain information to begin a proper digital forensic investigation.

4.0 Evidence Identification Process

According to the Vacca (2005), a computer forensic investigator would take the following steps when identifying evidence that may exist on a compromised computer system.

Investigator would protect the compromised computer system from any possible alteration, damage, data corruption, or virus introduction.

Disclose all files including existing normal files, hidden files, password protected files, deleted yet remaining files, and encrypted files

The content of hidden, temporary or swap files which are used by the application programs and the operating system is revealed.

All possible relevant data along with those which were found in the inaccessible area of a disk is analysed.

Taking print out of the overall analysis of the compromised computer system and listens to the relevant files.

Providing consultation of an expert if required.

4.1 Evidence Acquisition

Acquisition could be described as how the CCH investigator takes charge of all the evidences which is related to the compromised computer system. According to the Wiles (2007), a computer forensic investigator would take the following steps:

Documentation- It is the initial phase, with the help of this we can explain the actions that occurred in the electronic discovery effort, if case is presented to an attorney, jury etc. In this phase chain of custody begin, with the help of it digital examiner provides necessary information to explain when data was obtained, by whom, and where the data was stored in the enterprise.

Keyword search-This search can be accessed by applying keywords that the requesting department has arranged or has identified through investigation. With the help of keyword search the scope of the analysis can be shortened to only those files that are related to the search. This keyword search can save time and effort and allow the digital investigator to concentrate on the valuable information.

File signature search-This is conducted to utilize file signature analysis. File signature is used in the electronic discovery effort to narrow down these types of files.

Data reporting phase-It explain the working of data obtaining during the collection and reporting phase will be introduced. This report would be the last asset that can be provided to the legal department that asked for the electronic discovery support from the team. This is essential that report explain facts that were observed, analysed and documented. Neutrality in capture, analyses and reporting are the most important role that a digital investigator or electronic discovery facility can bring to the case.

Log files- Log files record which account was used to access a system at given time. The information about user's account that was used to commit a crime can be obtained with the help of log files. The application and system event logs also contain information about user's activities on system (Casey 2004).

5.0 Analysis Phase

Analysing digital evidence may not be as exciting as identifying or collecting, but it surely is the most critical element of media analysis. During this phase, extraction of data and the interpretation of artifacts play the major role to develop a report which organises and interprets the arcane world of digital evidence, which could be used to confirm or disconfirm civil, administrative, or criminal allegations (Cardwell, Reyes & Wiles 2007).

According to Kanellis (2006) three major categories of forensic functionality are imaging being the first step where a copy of the evidence is made for subsequent analysis to prevent tampering of the original, forensic analysis allows to recover corrupted, deleted, hidden, password-protected and encrypted files and finally visualization, which involves time-lining of computer activity with the help of information gathered from various log files e.g. connection logs, router logs, application server logs, firewall and IDS logs. The precise date and time range is very critical as there is a possibility of producing too much information and overloading the case investigator (Kanellis, 2006).

5.1 Email Analysis

It is said that many crimes are committed via email communication, so it would be beneficial for the CCH investigator to conduct an e-mail analysis (Pollitt & Shenoi, 2006). Emails are used to perpetrate phishing scams along with transmitting threats and viruses; on the other hand email communication also provides evidence of conspiracy, help to identify new suspects and linking them to specific criminal activities (Pollitt & Shenoi, 2006).

Figure 1 gives a brief overview of an email analysis framework, where the framework consists of two phases: information extraction and link discovery. The information extraction phase deals with structured and unstructured information extraction which allows compressing and summarizing email messages with the help of vector format, along with the processes producing a message frequency matrix along with a set of feature weights (Pollitt & Shenoi, 2006). The analysis of vector-formatted email files, message frequency matrix and the corresponding features weights falls under the link discovery phase, which produces correlated pairs that manifest hidden relationships between communication parties (Pollitt & Shenoi, 2006).

(Source: Pollitt & Shenoi, 2006, pg.81)

5.2 Network Forensics

A network forensics could also be conducted by the CCH investigator with the help of tools such as Snort, TemDump in order to determine how unauthorized access to distant computers was achieved, as it provides information related to computer intrusions which log files in the victim's computer, routers along with internet service provider (ISPs) which could be used to track offenders (Kanellis, 2006). The intrusion detection systems utilize system logs along with audit trails in the computer and information collected at routers or switches.

5.3 Hidden Data Analysis

The CCH investigator should also consider the hidden data analysis as the trend of using diverse obfuscated techniques such as disguising file names, hiding attributes and deleting files to intrude the computer system are the recent trend being utilize during cyber crimes, and this is possible as Windows operating system does not zero the slack space, allowing it to become a means of transportation to hide data, particularly in $Boot file (Alazab, Venkatraman & Waters, 2009).

The $STANDARD_INFORMATION, $FILE_NAME, $SECURITY_DESCRIPTION and $DATA are the 4 four attributes of $Boot metadata file structure, where attribute $STANDARD_INFORMATION holds temporal information such as flags, owner, security ID, the last accessed, written, and created times, where as the attribute $FILE_NAME includes the file name in UNICODE, the size and temporal information as well (Alazab, Venkatraman & Waters, 2009). The $SECURITY_DESCRIPTION attribute encloses information about the access control and security properties whereas the attribute $DATA restrain the file contents (Alazab, Venkatraman & Waters, 2009).

6.0 Investigation Reports Table of Content


Summary report of the entire investigation

Table of contents

Includes all the heading & sub heading

Body of report

What is digital forensic investigation

Reasons for CCH to conduct a forensic investigation

Forensic methodologies & phases could be used

Forensic resources/tools and skills required

Identifying evidences & acquisition

Different types of analysis to be conducted




7.0 Conclusion

This report summarizes that digital forensic investigation plays a vital role when it comes any type of security breach relating to information technology. As information technology sector grows so does the threats associated to them, which is becoming a major concerns to large organizations such as CCH around the world. To fight against these threats and to determine the cause of each issue, we could rely on digital forensic investigation methods and its power-full tools and resources.