Dominic Santini is the CEO of the ZeroBit Corporation. He has received a call claiming that proprietary information about a ZeroBit product has surfaced in a competitor’s sales brochure.
Description
Dominic Santini is the CEO of the ZeroBit Corporation. He has received a call claiming that proprietary information about a ZeroBit product has surfaced in a competitor’s sales brochure. He suspects a leak and wants to meet with you to discuss a possible investigation.
Mr. Santini welcomes you to his office, saying, “Thanks for stopping by at such short notice. Have a seat. Let me tell you more about what’s been going on. One of our marketing managers came back from a convention last week with a brochure for a competitor’s product having the exact same specs as our product. No way that’s coincidence! So, do you know our digital forensics examiner? I have a feeling he might be the one who’s been talking to those other guys, maybe saying some things he shouldn’t be saying.”
He continues, “There’s been a lot of absenteeism in the department lately—from the boss on down. When employees in the department do show up, they stay late into the evening. Now I’m not ready to launch a full-blown offensive here, but I think it’d be worth our time to check into what our examiner has been doing in his free time!”
“If we go to court, our success will depend on the proper handling of people, property, and evidence, so give me a safety and investigation plan first. By the time we wrap this thing up, I’ll need a report to share with the board. Give plenty of detail—what you found out and exactly how and where you found it.”
Mr. Santini makes it clear that you are more or less on your own with this case. It’s a sensitive investigation that will require maximum discretion.
Introduction
Before conducting any digital forensics investigation, participants must take certain steps to ensure the safety of the operating environment. Safety considerations fall into three general categories: people, property and environment, and evidence handling. They can range from weather-related issues to verbal or physical threats from the people under investigation. Investigations may occur during off-hours or at night, which raises the possibility that the investigator might be mistaken for a criminal.
A digital forensic investigator creates and develops a comprehensive safety and investigation plan specific to each investigation, and this plan will address all foreseeable situations that could jeopardize the investigation or its participants.
The fundamental digital forensics details to be covered in the plan will be the same whether you work in law enforcement or as a civilian digital forensics investigator. For the purposes of your investigation plan, you should not presume that another unit, agency, or investigator will develop or perform any components of the plan, and you should set forth in detail what part or activities you expect any other unit, agency, or digital forensics investigator is expected to perform in support of your plan.
Once a safety and investigation plan has been developed, the investigation can begin. This project will focus on using EnCase digital forensics software. EnCase is the most widely used commercial digital forensic tool available today. It is an integrated tool used in many types of digital forensics computer and server investigations.
EnCase is a powerful tool with advanced scripting capability and a growing number of third-party plug-in modules. It is critical for today’s digital forensic investigators to be familiar with its processing and analytic capabilities. This project will use EnCase in a typical investigation scenario in which it generates forensic examination reports from a few different situations. (As you proceed through this course, you will encounter references to a wide variety of digital forensics tools—far beyond EnCase. We have provided a list of these tools to help you access them when you need them.)
The final assignment in this project will include a safety and investigation plan, along with creating reports that use the EnCase report template (PDF format) to answer the questions noted in the project steps. The bookmark and report features of EnCase are emphasized in the project steps. The deliverables will be comprehensive reports that include case overviews and step-by-step explanations of the evidence file processing, graphic figure screenshots, and digital forensics investigator’s analysis of findings during the examination process.
Mr. Santini’s first request was for a safety plan. Are you ready to get started?
Step 1: Develop a Safety and Investigation Plan
As a forensic investigator, you know how important it is to understand an organization’s working environment before you launch an investigation.
Mr. Santini has provided you with some information on the history of ZeroBit, its place in the marketplace, and its potential competitors. You have learned that ZeroBit is an organization that generates intellectual property of interest to organized crime syndicates and nation states, as well as technology companies.
Mr. Santini is concerned that product plans may have leaked out through unauthorized channels. When millions of dollars are at stake, people can get hurt or killed, so investigators need to take steps to ensure their safety.
In this situation, there is a suspect currently employed at ZeroBit, along with people who have recently left the company and cannot be located. You need to assess and document factors that will increase the difficulty of the investigation and put you, and others, at risk while conducting your digital forensics investigation. Among those factors are people, property and environment, and evidence handling.
Your training has taught you that the most important function of a thorough safety and investigation plan is to evaluate and secure the scene.
Mr. Santini has requested a safety and investigation plan that addresses each of the following components:
An initial description (in the form of a checklist) of the steps an investigator would follow to ensure safety is addressed in the investigation.
The safety of the investigator and other people involved in the investigation (e.g., there may be people who are hostile to your investigation). You also need to minimize the potential for becoming entangled in legal issues and include third parties with an interest in the investigation or who may be helpful in obtaining required consent for searches, familiar with how the target computers may have been used, and can assist with understanding the network environment.
The safety of the property and environments involved in the investigation.
Evidence-handling procedures; preserving chain of custody is critical if law enforcement becomes involved.
The plan should also include the steps you would take if a potential safety compromise occurs in any area.
Develop a safety and investigation plan that addresses the concerns listed above. A safety and investigation plan would typically be four to six pages, excluding figure images and references. Use APA format and submit the plan to Mr. Santini (your instructor) for review and feedback. Incorporate any suggested changes after feedback. You will include the safety and investigation plan in the final assignment (Step 4). Now, you are ready to begin the investigation.
Step 2: Create a Case and Process Digital Evidence
Note: This step will take you about three hours to complete. Save your work frequently and take breaks as needed to pace your case examination.
You have learned that the suspect’s name is Mantooth, the same suspect from a prior case. After completing the safety and investigation plan in Step 1, access the virtual lab to obtain the Mantooth computer image. It is a subset of a full computer image.
You have decided to use EnCase and the EnCase Case Analyzer to conduct the investigation and create a forensic report. You’ll need to become familiar with LNK file forensics, Microsoft file structures, NTFS system files, recycle bin forensics, and registry examination. You will also need a solid understanding of the Windows registry structure and the Windows registry processing tool.
The Mantooth image is rich in artifacts; it will take a substantial amount of time to process the image, review, and evaluate the artifacts required to answer the questions presented in the Project 1 Lab, to expand the case investigation in Step 3, and to complete the Digital Forensics Examiners Report required in Step 4 of this lab. Be sure to document your findings in accordance with the Guidelines for Digital Forensics Examiner Reports.
Step 3: Expand Your Case Investigation
Note: This step will take you about three hours to complete. Save your work frequently and take breaks as needed to pace your case examination.
In the previous step, you used EnCase to open a case containing the processed Mantooth image. Now, you will access the virtual lab to undertake an expanded investigation of the Mantooth image, to conduct an investigation of the Washer image, and to compare any evidence of similar activities between the Mantooth image file and the Washer image file.
Mr. Santini has provided the Washer image file and the file hash value. You have already conducted an image search of the Mantooth computer, but now you need to perform additional processing of the Mantooth image. In this step, you will use EnCase to conduct a hash set analysis, investigate user account information and activities, and recover deleted pictures and recover deleted partitions (possibly) from the unallocated space of the image evidence file.
Your investigation will result in the creation of a digital forensics examiner’s report for Mantooth and a separate analysis of the Washer image within the report, based on other steps you will be required to take during your Project 1 investigation.
Data carving is sometimes necessary for file recovery. Sometimes clues are revealed by reviewing log files on a Windows machine. You need to take some time to get up to speed on graphical image analysis, metadata investigation, cache, cookie, and history analysis, web browser forensics, application forensics, and multimedia forensics before you begin processing and analysis.
Your goals are the following:
complete the Project 1 Lab containing the Mantooth image and Washer image
to locate, document, and bookmark files and artifacts of interest by hash and file type
to identify, document, and bookmark certain internet activity
to bookmark all files, artifacts, and information of interest for final reporting
respond to Mr. Santini’s questions contained in the Project 1 Lab
to search the Mantooth image and Washer image for relevant pictures of interest in the case
to bookmark all pictures relevant to the case investigation to include in the final digital forensics report
answer all questions presented in the Project 1 Lab instructions
document your findings in accordance with the Guidelines for Digital Forensics Examiner Reports.
Prepare a Digital Forensics Examiners Report that includes the following information as a Notes Sheet Addendum to the report:
number of picture files recovered
relevant pictures and their location information (if required)
file system information on the Mantooth and Washer drive images
answers to all questions presented in the Project 1 Lab Instructions
complete a separate final digital forensics examiners report for the Mantooth image investigation
complete a separate analysis of the Washer Image Investigation in the final digital forensics examiner’s report.
Step 4: Write and Submit Your Final Report
You have conducted an exhaustive analysis of Mr. Mantooth’s computer image file and Mr. Washer’s computer image file. Mr. Santini is looking forward to seeing the final report. Create a document based on the EnCase report writing template that includes the following:
your safety and investigation plan (Step 1)
your findings from Step 2 (including directories populated with data from the case processor)
responses to all questions posed in Step 3, including the questions contained in Project 1
bookmarks of files, all pictures, related case artifacts and other information in Step 3
notes sheet addendum that includes information on the following:
relevant picture files and their location on the drive image
the number of picture files recovered
the specific type of camera that took the pictures, if noted
the file system on the Mantooth drive image and Washer drive image
Final Digital Forensics Examiners’ Report Format
The final digital forensics examiners’ report should answer the questions contained in the steps of the Project 1 Lab obtained from using the bookmarked evidence and report wizard features of EnCase software to create a draft report.The final report should
begin with an executive summary paragraph case overview that explains
how the case originated or how it was referred to you for examination
the purpose(s) of the examination referral request (e.g., suspected theft, suspected criminal activity, suspected theft trade secrets, etc.)
include detailed explanation of the steps taken by you in working through the case investigation, including screenshots above.
In addition:
Create your report based on the EnCase report writing template draft.
Make sure the report has (your name, course number, date, Project 1 Lab) format.
Save your final version in PDF format.
(Digitally) sign and date the final digital forensics examiner’s report, include your title (e.g., digital forensics examiner) and initial and date each page (consider using footer option).
Submit the final report to Mr. Santini (your instructor) for evaluation in the submission section of the course.
Note: You used the EnCase forensic template when you originally processed Washer’s HDD. This template includes a series of directories/folders to help organize your bookmarks. Some of the directories are populated with data from the case processor. There are unrelated bookmark folders from the EnCase forensics template you will see that won’t be populated with data by the time you finish this Project 1 lab, so you can disregard them for the purposes of this report and should delete them before submitting the final report for evaluation.
Tip: Creating an Initial (Draft) Report Using EnCase Report Wizard
One way to create an initial draft digital forensics examination report to organize the case evidence artifacts is to generate the report using the EnCase forensic report template and include the bookmarked evidence artifact items you want in the final report.Then, you can save the EnCase Report as a Microsoft Word document and edit it in Word to meet the digital forensics report writing format requirements outlined above in Steps 1-4.
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.