Justification for the use of digital forensic methodology and approach

Question:

As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Windows based, this plan should detail following:

Justify why use of the digital forensic methodology and approach is warranted including procedures for corporate investigation.

Describe the resources required to conduct a digital forensic investigation, including team member skill sets and required tools.

Outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence.

Outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a Microsoft Windows-based computer.

Create a table of contents for the investigative plan describing what the primary focus of the report would be.

Every important details of the company are stored in the form of data in the computer. Thus, the security issue becomes one of the major concerns for the management of the company. The type of the security system adopted by the company has to be capable enough to secure the information regardless of different sizes. With the help of the forensic practices it is possible to plan and implement actionable methods through which the information can be secured for a longer period of time.

The selected method has to be capable enough to take care of the information and implement effective disciplinary action plans. This will restrict the unauthorised access of the information and other details that are quite confidential for the company. With the help of such a method it is possible to keep a check on the unusual operational activities that could lead to serious problem. Accurate knowledge regarding the forensic principles, procedures, techniques and tools will be helpful in improving the quality of the services that is intended to be provided to the company (Casey, 2000).

This report is based on the ‘Global finance’ company. It is an investment company that has more than 10,000 staffs working from different parts of the world. The company specialise in rendering different types of finance services that includes calculation of the superannuation for individuals and companies, provide investment options, analyse the retirement benefits, and render shares and property investment options related to finances. The services are exclusively availed for individuals and companies in Australia. However, the finance head of the company is aware of the fact that the details from the computer is being hacked and used by someone. This is a serious concern as there different types of important information that has been stored inside the system. The report has been prepared to present an effective auditing plan for digital forensics. This has been done with an intention of reducing the efforts that has been put in for securing the clients and financial information that has been retained by the company (Higgins, 2008).

The term of computer digital forensic is referred to the scientific method that is used for investigating the loops that are present within the system. It is quite important to have planned and well drafted methods through which the required information can be easily gathered by the investigators. The process basically involves three major steps which are analysing, reporting, and acquisition. It is quite important to use the best scientific method through which the relevant information regarding the digital evidences can be easily gathered by the experts. The method needs to include the below mentioned steps which are

Resources required for digital forensic investigation

Verification

The head of the finance department of the Global finance feels that the technology that has been used by the company is not effective. This is because the infrastructure that has been used for the network application hasn’t been updated. The environment for accessing information is unrestricted, which makes it possible for everyone to collect the information. Thus, it is quite important to investigate the incidences that are basically known as the forensic evaluation. In this case, the details are assessed. This is done with an intention of analysing the causes of the incidences that lead to sharing of the information. Based on the information that has been collected by the company it is possible to choose the best approach that will be useful in deciding upon the steps that needs to be taken for making the required changes (Huber, 2011).

System description

The system followed by the Global finance had unrestricted usage, wherein the information could be easily accessed by different departments. Besides this, the workstations and servers that were used by the company were not properly maintained. This had increased the risk of the intrusion detection that increased the risk for the users. Thus, it was essential for detecting the system that was used by the company. In this process, it was necessary to collect the necessary information that was meant to be used for determining the role of the system. This helped in analysing the data and the helped in evaluating the risks that were attached with the system. It is quite important to analyse the configuration of the disk and other factors that were considered to be important for the collection of the evidences (Inoue, Adelstein, and Joyce, 2011).

Evidence collection

In the process of information security system, the investigative team and the forensic abilities were analysed as it was located in the head office in Melbourne. The finance head of the department had complained about the ineffectiveness of the system, and this was one of the major concerns that had impacted the users. The audit team work towards collecting the evidences that are considered to be essential for analysing the details that are considered to be necessary for collecting the required information. Auditors in this case have to prioritize the findings as this will help in finding the factors that had impacted the leakage of the information. Also, the data that has been violated due to different network connections has to be analysed. This includes analysing the login sessions, cache, running process times, and others. The information is collected with an intention of analysing the challenges and making the right steps through which the changes can be implemented by the management (Janssen, and Ayers, 2007).

Timeline analysis

The check on the evidences has to be done on a timely manner. This will help in making the necessary changes and controlling the process of information leakage of access in the best possible manner. In this process, the information and other evidences has to be collected and investigated in the right manner. The evidence collection and evaluation has to be done on the basis of evidence acquisition, and this is one of the prominent steps that need to be followed in the right manner.

Data/evidence identification and acquisition approach

The tools that are used for analysing the data or forensic data are based on the Linux method and MFT methods.

In this process, the evidences that are collected and investigated in the right manner, as this will help in analysing the challenges that are faced by the company in securing the data. This system is quite different from the network foreignism and data recovery system. Network forensic is a part of the digital networking system and it is basically used for monitoring and evaluating the traffic in the computer network system. In this process importance is given to the information gathering methods and legal evidences. This method deals with the network investigations that are known to be dynamic and volatile in nature (Kim et al., 2008).

Data recovery method is related to the process of handling the information that might be damaged or corrupted. The whole intention is to provide an access to the information, whenever required. Such a process is quite different from the others that are in use.

Methods included for collecting the information

There are different types of analysis that are basically used for this purpose and it includes –

1. Pre-analysis – It includes defining the case in-depth and analysing the goals through which the task can be achieved.
2. Analysis – in this process, the company concentrates on collecting the best methods through which the structured management system can be introduced.
3. Time based analysis – It is also necessary to allocate the time based process, as this will help in improving the performance (Kruse, & Heiser, 2001).

The process followed by the company for collecting evidences plays a key role in analysing the risk that is associated with the system.

Hardware requirements

Some of the steps that are included in the volatile process are –

• Register content, CPU, and cache
• Routing the table, process table, ARP chnage, and kernel statistics
• Analysing the memory
• Checking on the temporary file and swap spaces
• Check on the data that are accommodated on the hard disk

Some of the important resources that are considered in this process include –

• Nigilant 32
• Live response system
• Mandiant Intelligent response system
• KntDD
• F-response (Masters, & Turner, 2007).

The evidences are collected in different forms or methods. However it is necessary to collect the information and perceive the data in the best possible manner. It also includes securing the information in the volatile data format. In this case, the information is stored on the hard drive and the details are stored eve when the computer is switched off. The volatile information is stored in the memory of the computer, and it is lost as soon as the computer is turned off. It is necessary to adopt and implement an effective tool through which the necessary steps can be taken for securing the information that is quite important for the company. Some of the tools include creating back-ups decryption, and authentication process that is considered to be useful for storing the information. It also includes the below mentioned steps –

1. IT tracking
2. Log file auditing
3. Implementing data recovery system
4. Examine the file (Stallings, 2003).

Also it is necessary to have regular back-up files through which the changes can be done without the fear of losing the information. This will also avoid the ambient data that is basically located on the swap file, which is quite similar to the memory. The system that has been chosen to be selected has to compile with the rules that has been drafted by the MIST or the national institute of standards and technology. In this process, it is also necessary to ensure that the members are aware of the rules that are formed by the company for using the system or accessing the information from the computer. Besides this, it has to be regularly checked as this will help in implementing the steps that are considered to be essential for implementing the changes that are considered to be necessary for securing the data that are quite important for the company. It is necessary to have the best decryption tools that will be useful for accessing the password protected files and computers.

Steps for analysis phase on a Microsoft Windows-based computer

The procedure that will be followed for the collection of the tools and digital evidences has to be implemented in the right manner. The staffs of the company have to follow the password method for accessing the information that is present within the system. Auditors of the company can use the IP tracking system to access or analyse the information that is considered to be important for tracking the authorised usage of the system. In this method, it is possible to analyse additional information that will be useful for the auditors to collect the details related to unauthorised usage of the system. For companies it is essential to introduce an effective national security system that includes IDS or the intrusion detection method. It also includes introducing proxies and firewalls. In this method, it is necessary to have a detailed investigating report that needs to be provided by the system administrator. This will help in analysing the challenges without losing much time on the same (Turner, 2006).

The evidences or the data needs to be collected and investigated in the right manner. For this, it is necessary to collect the tools that are available for the implementation of the performance system. This also includes analysing the system configuration method through which the fault can be easily analysed. Such a method will help in analysing the problem and finding the best possible solution to handle the same. For this, it is essential to determine the configuration of the system, as this will help the auditors to find the perfect solution to the problem. The methods that are included in this process include analysing the images that are stored in the line output utility, memory dumps, and digital media. With the help of such a system, it is possible to conduct the network investigation that is necessary to find the case of the problem. The plan also includes using the steps or tools that are conducted in the DEB. This contains the details that are considered to be necessary for the company for handling the information in the right manner. DEB is known to the advanced technology through which the magnetic cloning devices can be used for investigating the loops that are present within the system. The prime objective is to find the methods through which the data can be manipulated (Kim et al., 2008).

Software requirements

The system needs to be adopted for analysing the evidences through which the illegal access of the information can be controlled. In this case, the problem that is associated with the usage of the system. In this case, the MS system has to be configured with certain rules as this will prevent the unauthorized usage of the system. The system needs to be password protected, and the staffs of the company have to be encouraged to not share the passwords with anyone. This will create a problem, and might affect the confidentiality of the information that has been stored within the system. Apart from this, it is also necessary to implement an effective application system through which the usage of the members along with the data access can be checked on a regular basis.

Table of contents for investigative plan

This will help in improving the quality of the services that is proposed to be rendered to the clients. The data that are stored within the system are quite important and the access needs to be provided for few members. This will stop the usage of the information by anyone who is not authorised to do so. Apart from this, the management of the company can also implement the DEB software through which the details can be checked and the corrective steps can be introduced by the company. The system has to be implemented in a simple format, as this will help in accomplishing the task in the best possible manner (Janssen, and Ayers, 2007).

The plan for the investigation has to be simple and effective as this will help in yielding the best results that will cater the needs of the company. in this process, the steps that needs to be followed for the purpose of analysing the challenges has to be determined. This will help in analysing the challlenges and taking the right steps trhough whch the issue can be handled in an effective manner.

Conclusion

Inroduing an effective computer forensic method is quite important for the business. The process that has been inetnded to be followed by eh company depends upon the strategy that has been adopted by the company. In this case, the data needs to be analysed in the right manner. this will help in analysing the challenges and adopting the best methods through which the data can be evaluated in the right manner. In this case, the data has been evaluted and the corrective steps has to be taken for improvng the quality of infromation that has been retained by the company.

References

Casey, E. 2000. Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. San Diego, CA: Academic Press.

Higgins, S 2008. The DCC Curation Lifecycle Model. The International Journal of Digital Curation, 3, 134–140.

Huber, M, Mulazzani, M, Leithner, M, Schrittwieser, S, Wondracek, G and Weippi, E 2011. Socialsnapshots: digital forensics for online social networks. Annual Computer Security

Applications Conference. ACM December 2011.

Inoue, H, Adelstein, F and Joyce, R A 2011. Visualization in testing a volatile memory forensic tool.Digital Investigation, 8, S42–S51

Janssen, W and Ayers, R 2007. Guidelines on cell phone forensics. Recommendations of the

National Institute of Standards and Technology. Gaithersburg, Maryland: National Instituteof Standards and Technology.

Kim, K, Park, S, Chang, T, Lee, C and Baek, S 2009. Lessons learned from the construction of aKorean software reference data set for digital forensics. Digital Investigation, 6, S108–S113

Kruse, W. G., & Heiser, J. G. 2001. Computer Forensics: Incident Response Essentials. Addison Wesley.

Masters, G., & Turner, P 2007. Forensic Data Recovery aand Examination of Magnetic Swipe Cloning Devices. Digital Investigation , 4 (1), 16-22

Stallings, W 2003. Cryptography and Network Security 3/e. Prentice Hall.

Turner, P. 2006. Selective and Intelligent Imaging Using Digital Evidence Bags. Digital Investigation , 3 (1), 59-64.