Digital Forensic Investigation Plan

The Case – A Digital Forensic Investigation Plan

Summary: 

One World Finance (OWF) is a specialist provider of high quality, consumer finance services to a global network of customers. Trading in Australia and New Zealand since 1990, the company employs more than 750 employees and the company serves more than 5 million customers. The company's main office is situated in Brisbane with other branch offices located in Sydney and Melbourne.

OWF has invested heavily in information technology for supporting its global business operations and achieving competitive advantages over its competitors. Major investments were made by the company in 2001 but management has lost focus in updating the networks and application infrastructure that supports the business operation in recent years. The network environment between all of OWF offices is flat and relatively unrestricted. Users from one office can access systems and servers from another office. Workstations and servers are typically Microsoft Windows-based. Firewalls and network segmentation are implemented poorly throughout the environment. Intrusion detection and logging exist on systems but they are not effectively used. 

Last night, John Marsh at the Sydney office went in to work early and when he got connected to his computer, he found that someone was already connected to his computer with several windows opened. As he stared at it, his computer system got disconnected. He then tried to get connected again, but he was logged out. He called the IT manager, who followed a plan for such incidents. This includes disabling John’s account and examining the server security logs. The IT manager found that the IP address of the computer that was connected to John’s computer belongs to a computer used to run a data projector at the Melbourne office. He quickly rang the Melbourne office to check who has used the computer and requested the logs of people who have swiped into the building. He found out that there were five people in the building at the time, but one employee, Andrew Gale has since swiped out and called in sick. An urgent meeting with the management concludes that Andrew Gale has at least violated company policy by accessing a colleague’s account, but is unsure if he has violated any other policy or engaged in any criminal activity. As an information security officer, you are asked by the management to investigate to find out the extent of Andrew’s activities, if others are involved, who is affected and whether criminal charges need to be laid.

Requirements:

Your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Windows based, this plan should detail following:

• Justify why use of the digital forensic methodology and approach is warranted including appropriate procedures for corporate investigation.
• Describe the resources required to conduct a digital forensic investigation, including skill sets and required tools of the team members.
• Outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence.
• Outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a Microsoft Windows-based computer.
• Make a recommendation on the action that the company needs to take against the offender.

Tips for preparing your digital forensics investigative plan 

In writing the digital forensics investigative plan, students need to address following points. Do note that points listed below are not exhaustive and need to be considered as helpful tips. 

• Justify a need for digital forensics methodology and consider scope of the case including nature of alleged misconduct leading to consideration of how electronic and digital evidence may support the investigation. The plan should consider how digital forensics differs from other techniques (such as network forensics, data recovery) and detail the overall steps for the systematic digital forensics approach. 
• Consider the required resources and include details regarding preparation plan for evidence gathering (such as evidence forms, types, storage media and containers), forensics workstation and peripherals needed, software/tools for analysis depending on the type of evidence to be gathered including rationale for selected tools, and consideration of team member skills in digital analysis (such as OS knowledge, skills for interviewing, consultation, working as per the needs of the auditing team and understanding of law and corporate policies).  
• Detail the approach for data acquisition including the different types of evidence that can be gathered and their source depending upon the nature of the case and scope of investigation, develop a plan for data acquisition including rationale for selected plan and contingency planning, detail type of data acquisition tools needed including rationale and an outline for the data validation & verification procedures. 
• Provide an outline of the forensic analysis procedures/steps depending upon the nature of evidence to be collected, and detail the validation approach. This can include techniques to counter data hiding, recovering deleted files, procedures for network and e-mail analysis. 
• Prepare a recommendation on the action that the company needs to take against the offender 
• Prepare a professional report with an Executive Summary, a Word generated table of contents, an Introduction, a body of report with proper headings and sub-headings, and a Conclusion.

INTRODUCTION

One World Finance (OWF) is a provider of high quality finance services to a global network of customers. The main office of this company is in Brisbane and other branches are at Melbourne and Sydney. A lot of investments were made in the year 2001, but no focus was given on updating the network and application infrastructure. The network environment between all the offices was unrestricted. Network segmentations were poorly implemented. Intrusion detection and logging that existed on the system were not effective. Due to such an unsecured system of networks the computer system of Sydney was operated from the Melbourne office. The employee named John Marsh reported about the incident to the IT manager who took immediate action regarding the issue. He disabled John's account and examined security logs of the server and recovered files through digital forensic plan. There are various issues in the organization like One World Finance that makes them arrange an investigator to look into the issue and find out the root cause. It is a key element in every organization these days (Casey, 2012). This assignment aims on investigating the extent of Andrew's activities in using a colleague's system. A digital forensic investigation plan is made to enable a systematic collection of evidence and forensic analysis of digital data. The report also provides recommendations for few finest solutions for the company.

TASK 1- JUSTIFICATION OF USING DIGITAL FORENSIC METHODOLOGY

Digital Forensics is a process of identifying, preserving, analysing and presenting digital evidence in such a way that it is accepted legally. Various reasons to conduct a digital forensic investigation are data recovery, criminal investigations and the civil hearing investigation (Fabro, 2008). A digital forensic investigation deals with John Marsh got to know that his system is being compromised. When he logged in, he noticed that several windows were already open and someone else was already connected to his system. He was getting disconnected again from his system again and again so he called up the IT manager regarding the issue. The initial step of a digital forensic methodology is a request for service. This is done to find out whether the company's system is compromised and if it is then what data compromised. The investigator uses the digital forensic methodologies so that necessities for investigation can be fulfilled. There are various digital forensic methodologies like Integrated Digital Investigation Process (IDIP) and Digital Forensic Research Workshop (DFRWS) where the process is identified, preserved, analysed and presented. To get a clear picture of the process involved in data collection during investigation of the process there are several steps for a digital forensic approach that are listed below:

1. Request for service: In this step, the organization's HR department, or legal department sends a request for digital forensic investigation. Sending a request via phone, email or message can do this.
2. Initial Analysis Phase: This phase tells about the number of investigators involved and kind of hardware and software that is used in the process of investigation. It further have two stages:

1. Documentation: This includes the collected data during the process of investigation as it helps to know about the evidences from the system of the suspect and can be used during legal processes in courts.
2. Planning: This is an important phase of digital investigation, as an investigation needs to plan with the department of the victim.

1. Data collection Phase: This phase includes the collection of information from the digital forensic resources. It includes documentation, date, time, laptop and mobile collection.
2. Data Analysis Phase: It focuses on processing gathered information. A checklist is made to assist the team for analysis of data (Rowlingson, 2011).
3. Data Reporting Phase: This Phase describes about the situation observed and analysed during the investigation.