Friday, December 6, 2019
Conducting Corporate Computer Investigation -Myassignmenthelp.Com
Question: Discuss About The Conducting Corporate Computer Investigation? Answer: Introduction I have been appointed with case in which a large corporate entity had received a resignation letter from one of his senior employee who had decided to commence work with a competitor organization. He was much respected executive manager and exemplary employee within the organization. Similar to the other executives, he was also appointed with an external USB storage device for saving the documents related to the operational activities within the organization. This member was reported to be working from outside the office premises many times for which he needed to use a portable storage device for storing those information. This executive was expected to work away from the office from time to time and as a result, he needed the ability to have a portable storage device. This of itself was no cause for alarm for the business and was considered standard operating procedure. After resignation of the executive manager , the senior manager decided to review the laptop computer of the executive as the matter of process and just wanted to crosscheck and confirm whether the executive had sent any confidential and sensitive information to his new employer or not. With the addition of this information he also wants to know if the executive had stolen the data or manipulated the data unlawfully or not. He just wanted to confirm that his data is safe and not any manipulation has been done to the data. Considering these facts an executive from the organization went to the executives apartment and collected the related equipments to the storage device and laptop computer in which he used to save the data and used to accomplish operational activities related to the work environment. Scope of Engagement: Following are the scope of the digital forensic investigation: I was provided with the executives laptop computer and the storage device that he was using all the time for the thoroughly forensic investigation. All the computers that were issued by the organization were based on Windows XP operating system using NTFS file system. Summary of Findings There were certain files relate to the organization that has been deleted after the executive senior had resigned to join the competitor organization and it is the probability that the executive senior had exchanged sensitive information with their employees. Analysis The investigation was started by examining the forensic image of the USB external device that was recovered from the executive. It was noted that it was already formatted by the executive date prior to the collection of devices and the forensic image was of no use as there was not any user file stored in the drive. The process of formatting the external device does not delete all the data in real rather it creates a new series of files that were present before the formatting took place. The data that was saved earlier on the external USB could be resided again in the unallocated area of the same disk. While formatting any external storage device, the Microsoft Windows prepares the media by writing the series of the system files to the same drive that assisted the operating system to store the data or files and organize them on the disk. This file writing on the document is called as the MFT (Master File Table) that records the information about the directories and files there has been saved earlier including the file name with the date of the creation and where did the file resides. All this entry has been made in the MFT. Following is the screenshot the can provide an overview of the types of information that could be found in the MFT: The header for the MFT entry FILE0 is being clear along with the filename that is helpinstall_english.7zip. Quickly scrolling these files indicated the file named old data in the unallocated space, however initially it was very difficult to find this file, humanly readable text. Through subsequently analysis through the software tool for revealing if there any previous files on the storage device that has common formats as that of the MS word or adobe reader or Microsoft Office. The organization replied that they were using Microsoft Office version that was prior to 2010 that resulted in not any concerned with such files or documents that has been created using new Office Open XML format. Particularly the attempt was being made to search for files that have been consisted of the hexadecimal bytes D0 CF 11 E0 A1 B1 1A E1 for Office files and 25 50 44 46 for Adobe Acrobat files. In addition to the above activity attempt was also made to search for Lotus Notes databases (bytes 1A 00 00 04 00 00) (as the organization was using the Lotus Notes for email service) including the archived files, such as RAR (bytes 52 61 72 21 1A 07 00) and ZIP (bytes 50 4B 03 04). Till now nothing has been found so attempt was made to find files with the formats doc, xls, pdf, ppt and many more. It has been found that hundreds of files have been instanced on the filename entries. It was noted that each of the filename entries existed in, what appeared to be, entries in a previously deleted MFT. The MFT is structured in a particular way and consists of a series of entries in the following segments Strategic Information File/directory name Index/data Unused space Or the purposes of this case study, it sufficient to understand that the following relevant information is stored in the data block of the MFT entry: The file creation date, stored as a 64 bit Little Endian format number. For example, the hex bytes 40 29 AF 60 6C 50 C7 01 would decode to 14 February 2007 at 19:41 hours UTC time; The date and time that a file was modified, again stored as a 64 bit Little Endian value; and The date and time that the MFT entry relating to this particular files was last changed. Legal and ethical considerations Permission has been granted by then organization to access the devices including the storage device and the laptop computer. By the NSW Police: Senior manager has state the ownership of the laptop and USB storage. These operations are lawfully approved. Findings Another attempt was made to analysis the laptop computer that has been provided by the senior executive where in the recycle bin there were various files found that can be related to the case. A large size of video files was found with the entries named as De785.mpg, including the files of the format Adobe Acrobat, and Microsoft Office under the name De621.doc. There have been various actions that took place while a user tries to delete the data that was saved into the external USB device. In Windows XP on a disk drive formatted using the NTFS file system, by dragging and dropping the file into the recycle bin, that includes the following steps: Firstly, The file has been moved to the recycle bin by the operating system and when the user tries to clean the data saved in the recycle bin, the file is renamed using the convention d + drive letter of origin + unique index number. For example the file name De785.mpg means the file was emptied from the recycle bin it originally existed on the E drive and was provided with the index number 785. Computer systems tag all the external storage devices or the drivers with a unique drive letter. With personal experience it can be expressed that portable hard disk drive that is connecting to the computer is mainly assigned with the drive letters namely, E, F or G. Following are the list of events that can be stated after making all the investigation on the files that might have deleted: The hard disk or drive was provided to the executive for the official purpose. As per the evidence found after recovering the files, it can be concluded that senior executive that was commenced using the USB hard drive had copied several thousands of files from the file server that has been presented for the corporate use only onto the USB portable hard disk drive. Business related all the files have been already deleted from the portable device that has been earlier provided for the investigation and the evidence was driven out from the investigation. Biggest files were presented in the recycle bin that was no longer existed but traces were present in the computer relating to the Adobe Acrobat and Microsoft Office type files. After the deletion of business related files from the USB hard disk drive, a single video file was copied onto the drive many multiples of times to overwrite the data contained in the previously deleted business related files. The evidence that were developed after the investigation were the data related to the same video file and were still present in the unallocated portion of that portable device that has been presented. As stated earlier then files had been deleted earlier and the portable device was not containing any files that could help the investigation. This could be put in the category of the evidences that did no longer exist into the device but was recovered from the MFT files. MFT was helpful in recovering the files that has been deleted a day earlier before the device was received. Conclusion Based on the above report it can be concluded that the investigation was successful on the basis of digital technology. However, certain more investigation needed to interrogate the senior executive in manner to confirm that he has made the treason with the organization. This report was thoroughly research on the data that was being transferred using the USB external drive. References AbRahman, N. H., Choo, K. K. R. (2015).A survey of information security incident handling in the cloud.Computers Security, 49, 45-69. Arunachalam, S., Rajan, M. S. (2017). Privacy Assured Multi-Tenants Forensic Log Data Collection and Isolation in Cloud Services. Baboo, C. D. S. S., Megalai, S. M. (2015).Cyber Forensic Investigation and Exploration on Cloud Computing Environment.Global Journal of Computer Science and Technology, 15(1). Cahyani, N. D. W., Martini, B., Choo, K. K. R., Al?Azhar, A. K. B. P. (2017). Forensic data acquisition from cloud?of?things devices: windows Smartphones as a case study. Concurrency and Computation: Practice and Experience, 29(14). Choo, K. K. R., Esposito, C., Castiglione, A. (2017). Evidence and Forensics in the Cloud: Challenges and Future Research Directions. IEEE Cloud Computing, 4(3), 14-19. Collange, S., Dandass, Y. S., Daumas, M., Defour, D. (2009, January). Using graphics processors for parallelizing hash-based data carving. InSystem Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on(pp. 1-10). IEEE. Cruz, F., Moser, A., Cohen, M. (2015). A scalable file based data store for forensic analysis. Digital Investigation, 12, S90-S101. Kebande, V. R., Venter, H. S. (2014).A Cloud Forensic Readiness Model Using a Botnet as a Service. In The International Conference on Digital Security and Forensics (DigitalSec2014) (pp. 23-32). The Society of Digital Information and Wireless Communication. Khan, S., Ahmad, E., Shiraz, M., Gani, A., Wahab, A. W. A., Bagiwa, M. A. (2014, September). Forensic challenges in mobile cloud computing. In Computer, Communications, and Control Technology (I4CT), 2014 International Conference on (pp. 343-347).IEEE. Kules, B., Wilson, M. L. (2015).Shneiderman Ben (2008), From Keyword Search to Exploration: How Result Visualization Aids Discovery on the Web. Lee, S., Lee, K., Savoldi, A., Lee, S. (2009, December). Data leak analysis in a corporate environment. InInnovative Computing, Information and Control (ICICIC), 2009 Fourth International Conference on(pp. 38-43). IEEE. Nanda, S., Hansen, R. A. (2016, July). Forensics as a Service: Three-tier Architecture for Cloud based Forensic Analysis. In Parallel and Distributed Computing (ISPDC), 2016 15th International Symposium on (pp. 178-183). IEEE. Nelson, B., Phillips, A., Steuart, C. (2014).Guide to computer forensics and investigations. Cengage Learning. Nolan, R., O'sullivan, C., Branson, J., Waits, C. (2005).First responders guide to computer forensics(No. CMU/SEI-2005-HB-001). CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST. Ohana, D. J., Shashidhar, N. (2013). Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions.EURASIP Journal on Information Security,2013(1), 6. Patrascu, A., Patriciu, V. V. (2015).Logging for cloud computing forensic systems.International Journal of Computers Communications Control, 10(2), 222-229. Peterson, G., Shenoi, S. (Eds.). (2016). Advances in Digital Forensics XII: 12th IFIP WG 11.9 International Conference, New Delhi, January 4-6, 2016, Revised Selected Papers (Vol. 484). Springer. Quick, D., Choo, K. K. R. (2013). Forensic collection of cloud storage data: Does the act of collection result in changes to the data or its metadata?.Digital Investigation,10(3), 266-277. Rahman, S., Khan, M. N. A. (2015).Review of Live Forensic Analysis Techniques.International Journal of Hybrid Information Technology, 8(2), 379-88. Ruan, K., Carthy, J., Kechadi, T., Baggili, I. (2013). Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results. Digital Investigation, 10(1), 34-43. Simou, S., Kalloniatis, C., Kavakli, E., Gritzalis, S. (2014, June). Cloud forensics: identifying the major issues and challenges. In International Conference on Advanced Information Systems Engineering (pp. 271-284).Springer, Cham. Spencer, S. B. (2015). The Aggregation Principle and the Future of Fourth Amendment Jurisprudence. Steel, C. (2006).Windows forensics: The field guide for conducting corporate computer investigations. John wiley sons.