An appraisal of the situation using the knowledge gained from this course. Also, perform a digital forensic investigation on the matter.

As head of the Information Protection Department of Famous Corporation, you have just received a call from the Senior Vice President of Human Resources informing you that in the past four days, there have been four occurrences of money transfers to unauthorized recipients.

During the conversation, you were given the name of the department where the fund transfers had occurred. Furthermore, you were given specific instruction not to engage anyone from that specific department; however, you were given permission to engage law enforcement agencies if applicable.

Write a paper in the form of a report that includes:

• An appraisal of the situation using the knowledge gained from this course and perform a digital forensic investigation on the matter.

• Illustrate your strategy for conducting this investigation.

• Forensic investigation steps for collecting data and the proper steps for resulting in a successful “fraud to trial” outcome.

• Formulation of a plan that can be used to improve weak security measures and to prevent the incident from occurring in the future. Be as specific as possible in your evaluations and explanations?

Digital technology is growing rapidly, and thus has become an integral part of our everyday life. With the rise of Digital Forensic technology there has been a steady rise in digital crimes such as unauthorized fund transferring, identity fraud, financial fraud, and intellectual thievery. Thus to fight against these digital crimes, Digital Forensics plays a significant role. “Digital Forensics involves acquiring and investigating digital information for use as evidence in various courts (Pipkin, 2000)”. It generally investigates data which is unethically copied from digital hard drives or any other digital storage devices in accordance to standard policies and procedures to determine if those devices have been used by unauthorized contact or not. Digital Forensics Investigators investigate the fraud and conduct the forensic analysis in a team by using various tools and Methods to guarantee that the digital network system is protected in an organization. The laws of the country mandate that business organizations maintain a strict record of all their monetary transactions. The reasons for this include; curbing tax evasion measures to ensuring that a company does not present a false success story in the hopes of some quick profit (McDermott, 2001). The role that a forensic accountant plays is crucial here, and it is upon their shoulders that the responsibility of ensuring that a business or individual is being honest in their annual tax filings (Kelly, 2005). An experienced Digital Forensic Investigator is usually adept with various laws and regulations related to digital crimes in their country along with this the investigator also need to be Familiar with the various computer operating systems. There are two categories of Digital Forensics Investigations – the public investigator and the private investigator. Public investigations are usually employed by government agencies, and private investigations are contracted by private digital forensic personnel’s (Anderson, 2003). In this report, as a head of Information protection department, I have been informed that in the previous 4 days, there have been four incidences of fund transfers to unauthorized beneficiaries.  I have been given the details of the department where the money transfers had happened and also specific instruction were given not to involve anyone from that particular department. I was also given consent to employ law enforcement agencies if requried. Generally, information protection department plays a very crucial in organisation. Information is an asset for every firm and hence, protecting it is the primary duty of every employee. Every employee intends to safeguard the confidential information of the firm and prevents it from leaking (Venter, 2003). Data and information management isn’t the responsibility of the IT department but everyone plays a crucial role and it impacts everyone in organisation. By definition, data and information protection refers to the development, execution and supervision of practices and plans to protect and deliver. Also, data and information protection enhance the value of information. In this report, we will look at the appraisal of the situation, demonstrate the strategy to conduct the investigation, relevant steps taken in forensic investigation and developing a plan to enhance weak security measures.

Findings

To investigate the mentioned case, the digital forensic investigation should be carried out in the manner cited below:

Objective of the investigation: To determine if the cause and recipient of the unauthorized fun transfers

Operating system: Microsoft®Windows® 7.

Case Investigator: X

Processing

Assessment

1. Documentation provided by the Senior Vice President of Human Resources investigator was reviewed.

a. It was officially authorized to establish an investigating warrant obtained specifically for the digital examination to be carried out at the premises of the organization

b. The sequence of interaction both authorized and unauthorized was suitably acknowledged on the appropriate departmental regulations.

c. The demand for transfer and a comprehensive outline clarifies the investigation, gives key links, and gave sufficient data about the suspect, the unauthorized transfer, and the forged documents.

The following procedure was adopted to collect evidence.

a. A separate file was produced with the case investigation procedure was stored into the laboratory record.

The digital evidence collected was saved in the Lab, it was also photographed and cross examined.

Imaging

1. The Laptop was inspected and copied.

a. The hardware was examined and documented.

b. A controlled boot disk was placed in the laptops floppy drive.

c. The Laptop was powered off with no modified to the Accounting system

2. To generate an evidence file, EnCase® security software was used, an evidence file was created including the copy of the hard disk of the laptop.

a. It was also observed that the laptop was associated to the main security computer through a modem line which was also attached to the systems adjacent ports.

b. Thus when imaging procedure was completed, the laptops were powered off.

1. A new Laptop was arranged with Windows® 7; EnCase® security software was used along with other digitals forensic investigation software programs.

2. The files obtained as evidence through the EnCase® security software from the laptop were safely stored in the organization’s lab.

a. Another EnCase® security software file was created and the evidence obtained were cross examined by using EnCase® security software. Along with this many of the files which .were deleted by the suspect were recovered using EnCase® security software

b. File Data containing essential information about the name, physical and digital size, time and date and progress report were also recovered (Galliers & Leidner, 2014).

c. A comprehensive through search was carried out including text search on all the recovered files.

d. Graphics files were scanned and reviewed.

e. HTML files were scanned and reviewed.

f. Data files were scanned and reviewed

g. The search brought across two encrypted and password-protected files.

h. Files of investigative significance or evidentiary importance were derived and restored from the EnCase® evidence file and copied to a separate removable hard drive.

3. Unauthorized files were derived and restored from the EnCase® proof file to a clean removable hard disk, along with this all the password protected files were derived and restored and copied to the organizations hard disk.

The investigation of the laptops investigated resulted in the recovery of 372 files of analytical importance and evidential significance

The recovered files included: Several files and documents which contained the name and personal details of the suspect, the document text also included corporate unauthorized checks and forged documents. The collected evidential data also included graphics files, illustrating accounting information, corporate unauthorized checks, currency information (Vacca, 2012).

Upon investigation the HTML files recovered brought across several Hotmail and Gmail email addresses, which stated the interaction between the suspect and an unidentified individual. Whereas the Graphic files Recovered, when investigated brought to notice the scanned images of account details as well NEFT transfers, including currency details.

Out of the two encrypted files- one was found to be a word document whereas the other one was an untitled notepad document. The word document contained a list of personal and confidential details about several individuals – the names, birth date, bank information account information, place of residence were all clearly mentioned. The untitled notepad document included the transfer information.

• Forensic Report – the forensic report clearly reported all the process and evidence found along with the respective actions that were take in great detail. It has been duly signed by the head of the digital forensic department and produced in a case.
• Progress Report- A hard disk which included all the data of evidential significance or investigative interest was submitted. Several Copies of this disk were made so as to provide it to different authorities to be examined.

Conclusion

According to the information discovered by the digital forensic investigators, many new theories of evidence were found.

The Digital Forensic investigation along with an appraisal should be done by following proper methodology and a fixed strategy. To obtain optimal results through investigation, it is essential that the investigation is not carried out in a haphazard manner (Spagnoletti, 2008). The given case was investigated using Digital Forensic investigation methodology, the strategy followed is mentioned below. The digital forensic investigation strategy is a process which is an accepted and authorized systematic and forensic process which is used in the digital forensics investigations. The investigative process is mainly used in computer and mobile forensic investigations, they basically consist of three components namely finding, investigation and reporting. The strategy used to investigate, depends and varies according to the types of cases and frauds (Williams et al 2013). One of the most commonly used strategies is the eight step methodology developed by Rob lee. This strategy is designed in a way to help the agent to remain on the right working direction and guarantees appropriate production of digital data legal procedures and the required penalizing trials, etc. Furthermore, it is also good starting point in while staring an investigation a new case. The principle of these eight steps is to take action methodically to digital forensic investigations and to find out the real fraud. It is also is imperative to understand that a digital forensic investigation works in sync with the digital fraud management (Kiountouzis, 2010).

Documentation

The eight steps of the Digital Forensic Investigation are mentioned below:

Verification: The first step used at the beginning of an investigation is verification. It basically involves verification of an incident which has been reported has happened in reality. It is also includes determining the extent and range of the event and evaluate the case. Questions like What, How, Where and when should be asked about the situation. Along with the nature and the specifications of the case should be verified. This is the beginning step and is essentially significant because it will assist in influencing the description of the event and thus stating the top method to discover and gather information (Harris, 2008).

System Description: The next step is the System Description which involves collecting data about the particular event (Mayer & Aubert, 2014, September). It is essential to start by making notes and recounting the system which is going to be analyzed, where, what and how the system has a role in the institute along with the network. It also includes creating an outline of the operating system and its broad-spectrum constitution such as disk format, RAM etc.

Acquiring Evidence: This step involves identifying the potential source of data, obtain unstable and stable data, verifying the reliability of the data and guarantee sequence of supervision. Throughout this step it is also essential that to give priority to the evidence collected and appoint the concerned party to establish the implementation and effect of selected methodologies, because unstable data changes from time to time, thus the sequence in which the information was collected should be maintained. The digital Media which is withheld for investigation is usually called an “exhibit” in official language. It is important to note that as a part of the analysis and investigation, the next step should carry on in sync to ensure that the investigation can be carried out smoothly (Taylor, 2012).

Timeline Analysis: The next step following the evidence acquirement is analyzing and investigating the evidence in the forensics lab. It should begin by doing a timeline analysis. This is a vital stage and extremely functional since it comprises of data like when the files were customized, accessed, transformed or formed. The data which is collected by using a wide range of methods should be arranged in order to be analyzed. During the analysis it is important to be careful and patient and it thus assist to have systematic file and functioning system.

Media Analysis: In this step basically involves analyzing all the media related information that has been gathered. Investigators must be proficient to respond to queries regarding the programs which were effected, what information and data were downloaded, which were selected, registries were checked, which deleted etc.

A specified technique should be implemented to decrease the information sets are to recognize files recognized to be superior and the files which are to be not so good. The timeline which has been incorporated several times compresses into a single file. Thus it is essential to have information of file systems, and directory artefacts to take benefit of this system that will diminish the quantity of information to be analyzed (Lim, 2009).

Conclusion

Byte search: This step usually consists of adopting methods that will search the Byte untreated imagery. It is basically used to find something specific. The tools and techniques which search for byte signs are known as magic cookies it also allows to the investigators to find the relevant information in accordance to the specific case.

Data Recovery: Data Recovery is one of the most important and most widely used steps in any investigation. Investigators are known to utilize several the scientific tools and software to recover digital data to hold or invalidate. There are many private software applications available in the market which helps in recovering data from the system. The recovered data is always essential information to find hidden links and clues.  Analyzing the empty space as well as the unallocated disk memory is an important step in investigation. An in-depth system recovery and system investigation is an important part of investigation to gain essential information.

Reporting Results:  The Last step of any investigation consists of reporting the entire analysis of the investigation. It includes recounting the procedures taken, determining what further actions which need to be performed. It also includes suggesting improvements to security policies, strategy, actions, methods, and other characteristics of the digital forensic procedure.

Thus reporting the observation is a major and vital part of any enquiry. It should be written in a way that reproduce the usage of systematic methodology and evidence which can be proved. Adapting the reporting style usually depends on the audience; the investigators should be equipped for the report to be used as proof in legal for lawfully or governmental reasons.

Every forensic investigation case is different and must be dealt with complete precision. Forensic investigators can’t apply same steps to every case since every issue is different and it might require different methods to solve it (Schlienger, 2003). However, there are some general steps which can be customised as per every case.

1. Scheduling a meeting with client: First step for collecting data is scheduling a meeting with client. At this step, investigators personally interact with client to know the case in-hand completely. Many times, there are some minute details which don’t get reveal over the phone or in documents. At this stage, all such details are revealed and hence, it is crucial to collect data.

2. Carrying out initial investigation: Once the investigator has met with the clients, he heads towards initial investigation. This investigation is carried with an aim to look for prospective evidences. It is crucial to carry out a preliminary analysis to get the outline of the issue and requirement of client. Besides outlining the issue, this stage will help in subsequent planning to be based on upon entire understanding of the issue.

3. Working on an action plan: An action plan is often developed to determine what further steps will be taken to investigate the case and result in a successful “fraud to trial” outcome. At this stage, investigators take into account the knowledge gained by interacting with client and at preliminary investigation. This stage sets out objectives to be accomplished during the forensic accounting investigation. It also sets out the methodology to be used to accomplish them (Schafer, 2008).

4. Finding out evidences: Evidences are crucial to successfully solve the case. Hence, investigators locate relevant documents, information, assets or any proof of the occurrence of an event depending upon the nature of the case.

5. Implementing the action plan: After the action plan has been developed and evidences have been found, the next step is to implement the action plan effectively. In this, the actual analysis depends upon the nature of the issue. Often, the actual analysis involves calculating damages, making a summary of large number of transactions, performing traces of assets, carrying out sensitivity and regression analysis and using charts and graphs to explain the analysis

6. Writing the results/findings on a document: The last step is to document the results and findings in a report which usually also include the scope of the investigation, approach & methodology adopted during investigation and limitations of scope (Vitruvius, 2005).

This is a series of steps involved in the collection of data which ultimately helps a forensic investigator to solve the case (Yang et al 2013). Although these are general steps followed in most of the forensic investigation cases, there can be chances that the steps taken in any case may be entirely different. It always depends upon the severity of the issue/case. A competent forensic investigator has to use his experience and skills to solve the case and get into the bottom of the case to determine what exactly is going on. As a forensic investigator, the primary goal remains that all the systems remains in his control at the site (CBS, 2010).

In order to ensure that incidents such as the one described in the case above don’t repeat, some effective steps have to be taken. These steps should enhance the weak security and prevent the incident from occurring in the future (Whitman & Mattord, 2013). The plan must aim at developing robust procedures, policies, systems in place to protect the sensitive information of the organisation (Parawesh, 2004). The plan for data security and preventing such incidents in future can be:

Developing an information system strategy: Now days, IT has evolved and it continues to evolve in every direction. Hence, it is crucial for organisation to develop an information system strategy. Data protection shouldn’t be concern only for legal or IT department but it should matter to every employee (Alhawari et al 2012). Data protection is strategic concern and hence, it should be addressed at highest levels of the company (Whitman & Mattord, 2011). This can only be achieved by formulating a comprehensive strategy. The strategy should include the goals to be achieved, practices to be adopted and people to be contacted in case any such fraud is sensed by any employee.

Enforcing overall information security strategy: During the implementation of information security strategy, the duty of senior management is primary (Tohidi, 2011). Their role is to create a reporting structure for information security so that people can be held responsible for it. It is a continuous process so all the errors, failures and follow ups have to be reported regularly (Mayer et al 2013). Information security must be included in the vision and mission of the organisation so that every employee can understand its employee (Salvendy, 2012).

Providing training to employees: Employees are required to be trained so that they can handle sensitive data carefully. The training can include learning sessions on retaining crucial information for long, disposing off sensitive information and devices. This can also include interacting sessions with top management so that they can continue communicating with the mid and low level employees about handling sensitive data (Kelly, 2005).

Putting data security models in practice: In order to implement the information security data plans, it is crucial to develop models (Peltier, 2013). This can include developing external and internal firewalls to ensure no information in leaked. In many companies, employees can’t access social networking sites or any other websites for their personal use (Tang & Musa, 2011). This is a security measure being taken by the firms.

These are some of the steps that can be adopted to enhance information security and ensure that such incidents don’t occur in future.

References

1. Alhawari, S., Karadsheh, L., Talet, A. N., & Mansour, E. (2012). Knowledge-based risk management framework for information technology project.International Journal of Information Management, 32(1), 50-65.

2. Anderson, J. M. (2003). “Why we need a new definition of information security”. Computers & Security, 22(4), 308–313.

3. CBS, (2010). “Forensics Timeline”. Cbsnews.com. Accessed on 4 March, 2015.

4. Galliers, R. D., & Leidner, D. E. (Eds.). (2014). Strategic information management: challenges and strategies in managing information systems. Routledge.

5. Harris, S. (2008). “All-in-one CISSP Certification Exam Guide (4th ed.).”, New York, NY: McGraw-Hill.

6. Kelly, J. (2005) Gunpowder: Alchemy, Bombards, and Pyrotechnics: The History of the Explosive … New York: Basic Books. p. 79.

7. Kiountouzis, E. (2010). “Information systems security: facing the information society of the 21st century.”, London: Chapman & Hall.

8. Lim, (2009). “Exploring the Relationship between Organizational Culture and Information Security Culture.” Australian Information Security Management Conference.

9. Mayer, N., & Aubert, J. (2014, September). Sector-Specific Tool for Information Security Risk Management in the Context of Telecommunications Regulation (Tool demo). In Proceedings of the 7th International Conference on Security of Information and Networks(p. 85). ACM.

10. Mayer, N., Aubert, J., Cholez, H., & Grandry, E. (2013). Sector-Based Improvement of the Information Security Risk Management Process in the Context of Telecommunications Regulation. In Systems, Software and Services Process Improvement(pp. 13-24). Springer Berlin Heidelberg.

11. McDermott, E. (2001). “Information security is information risk management.” In Proceedings of the 2001.

12. Parawesh, S. (2004). Encyclopaedic Dictionary of the DharmaÅ›ÄÂstra, Volume 1. New Delhi: Sarup & Sons. p. 499.

13. Peltier, T. R. (2013). Information security fundamentals. CRC Press.

14. Pipkin, D. (2000). “Information security: Protecting the global enterprise.”, New York: Hewlett-Packard Company.

15. Salvendy, G. (2012). Handbook of human factors and ergonomics. John Wiley & Sons.

16. Schafer, D. (2008). “Ancient science and forensics”. In Ayn Embar-seddon, Allan D. Pass (eds.). Forensic Science. Salem Press. p. 40.

17. Schlienger, T. (2003). “Information security culture-from analysis to change.” South African Computer Journal 31 (2003): 46-52.

18. Spagnoletti, P. (2008). “The duality of Information Security Management: fighting against predictable and unpredictable threats”. Journal of Information System Security 4 (3): 46–62.

19. Tang, O., & Musa, S. N. (2011). Identifying risk issues and research advancements in supply chain risk management. International Journal of Production Economics, 133(1), 25-34.

20. Taylor, P. (2012). “The Disaster Recovery Plan”. Sans Institute.

21. Tohidi, H. (2011). The Role of Risk Management in IT systems of organizations. Procedia Computer Science, 3, 881-887.

22. Vacca, J. R. (2012). Computer and information security handbook. Newnes.

23. Venter, H. (2003). “A taxonomy for information security technologies”. Computers & Security, 22(4), 299–307.

24. Vitruvius, J. (2005). “De Architectura, Book IX, paragraphs 9–12, text in English and Latin”. University of Chicago.

25. Whitman, M., & Mattord, H. (2011). Principles of information security. Cengage Learning.

26. Whitman, M., & Mattord, H. (2013). Management of information security. Cengage Learning.

27. Williams, S. P., Hardy, C. A., & Holgate, J. A. (2013). Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective. Electronic Markets, 23(4), 341-354.

28. Yang, Y. P. O., Shieh, H. M., & Tzeng, G. H. (2013). A VIKOR technique based on DEMATEL and ANP for information security risk control assessment.Information Sciences, 232, 482-500.