IS4670: Project: Investigate Evidence and Create a Report of the Findings


IS4670: Project: Investigate Evidence and Create a Report of the Findings

Purpose The purpose of this project is to provide an opportunity for students to apply the forensic investigation competencies gained throughout this course. Learning Objectives and Outcomes  You will be able to understand the process of conducting a digital forensic investigation.  You will be able to understand the value of digital forensic investigations to organizations.  You will be able to fulfill the role of an intern conducting a forensic investigation in a specific business situation. Required Source Information and Tools The following tools and resources will be needed to complete this project:  ITT Tech Virtual Library  Internet Project Logistics The project has one deliverable as per the following details: Activity Name Assigned Due % Grade Investigate Evidence and Create a Report of the Findings Week 1 Week 6 25% Deliverables Scenario You are a digital forensics intern at AAA Computer Forensics, a privately owned forensics investigations and data recovery firm. It’s a Friday morning and your manager calls you with good news. He tells you that he is very happy with your performance and has a big task lined up for you. He also mentions that if you do this task well, you will be hired as an employee in this company. You are thrilled! With a big grin, you ask, “What’s the task?” Your manager tells you that AAA Computer Forensics is working with Corporation Techs, a company that has been struggling to maintain its customer base due to fierce competition with rival firm NetTech24x7. A disgruntled former employee of NetTech24x7 approached the owner of Corporation Techs with a tip that Corporation Techs’ internal strategy memos, customer lists, and other sensitive documents were being Findings  IS4670 course textbook, System Forensics, Investigation, and Response (Vacca, 2011) IS4670: Project: Investigate Evidence and Create a Report of the © ITT Educational Services Page 2 passed along to a NetTech24x7’s sales manager. The former employee of NetTech24x7 claims that the files were being downloaded from Corporation Techs’ Web site, but she did not know which specific folder was being accessed. Corporation Techs is now concerned that sensitive internal documents might be accessible to its competitor. It is also possible the disgruntled former employee is lying and only wants to learn about potential security holes in the Corporation Techs network. Therefore, the CEO of Corporation Techs has hired AAA Computer Forensics to conduct an informal investigation before involving law enforcement or regulatory agencies. A thorough search of the Web site has been conducted, and no files were found beyond the static HTML Web pages expected. Three workstations are used to update content on the Web site, and a network packet trace has been captured for traffic between the workstations and the internal FTP upload site for posting data to the Web server. This packet trace is available for your use. Once you understand the situation, your manager tells you to divide the investigation into three parts. The first part involves the use of NetWitness Investigator to identify user credentials, correlate source host address(s), and evaluate network traffic for unusual activity that might provide a starting point for your system forensic investigation. In the second part, you will use Paraben P2 Commander to examine a forensic system image and evaluate files, communications, and applications, which could be items of potential evidentiary value in this investigation. You will use your findings from the first part of the investigation to guide your selection of workstation(s) for review and user profile(s) for specific investigation. In the third part, you need to document your results along with the investigative process and any indicators you discovered that led to additional actions on your part. The investigation must be limited to the scope identified by these indicators, and all investigative actions should be supportable if you are called as an expert witness in later proceedings. Findings IS4670: Project: Investigate Evidence and Create a Report of the © ITT Educational Services Page 3 Part 1: Review Packet Capture Tasks Perform the following steps: 1. Review demo labs and research the Internet and ITT Tech Virtual Library to find detailed information on NetWitness Investigator. 2. A free download of the software is available in case you want to experiment with how the program behaves, looks, and feels. 3. Examine how to access packet trace data using NetWitness Investigator. 4. Examine how to identify hosts within the Corporation Techs network, conducting FTP file transmissions with the organization’s Web server. 5. Document how to develop a listing of user credentials and transferred files associated with each. 6. Report how to identify potential hosts and users whose activities warrant further investigation. 7. Document the process used to identify every indicator that provides cause for further investigation. Write the preliminary investigation document detailing the tasks mentioned above. This document should include dates and details of the investigator to serve as supportive documentation for your investigation later. All documentation should be made using a standard word processor format compatible with Microsoft Word. Part 2: Examine Forensic Image Tasks Now, you must conduct a review of the workstation forensic image(s), identifying communications, applications, and data pertaining to any leak of sensitive information via the Web site. Due to time constraints, this review should be conducted in the most efficient manner possible, using details from your previous investigation of network traffic to identify the workstation(s) and user profile(s) of greatest interest for forensic review. Perform the following steps: 1. Review demo labs and research the Internet to examine how P2 Commander is used to gather forensic data. 2. Examine files, communications, and applications of interest within the profile(s) identified by your earlier investigation. Findings IS4670: Project: Investigate Evidence and Create a Report of the © ITT Educational Services Page 4 3. Identify items with potential evidentiary value and investigate each. 4. Report how this software can help you in your proposed research. 5. Document the process used to identify each item of interest and any details that provide cause for further action. Add this documentation detailed in the instructions above to your case file. This document should include dates and details of the investigator. All documentation should be made using a standard word processor format compatible with Microsoft Word. Part 3: Create Report of Findings Tasks For the final part of this investigation, you must create a report of your investigation and its findings for the owner of Corporation Techs. Perform the following steps: 1. Detail the process of acquisition and protection of each item of evidentiary value reviewed (example: workstation host media was forensically captured and the image used for all subsequent evaluations). 2. Detail the investigative process, together with indicators for detailed investigative review and assumptions made during the process. 3. Detail items of potential evidentiary value and provide a description of each and its relevance as an item of interest. 4. Develop a report of your findings, together with a supportable recommendation as to whether there is cause for further action. 5. Create a professional report detailing the information above, together with evidentiary reporting and supportive documentation detailing your investigation for the client. Your report should be made using a standard word processor format compatible with Microsoft Word. Self-Assessment Checklist  I have demonstrated an understanding of the competencies covered in this course.  I have documented the process and causes for investigation effectively.  I have successfully identified items of potential evidentiary value.  I have conducted the investigation with minimal exposure and examination of unrelated user’s data. Findings IS4670: Project: Investigate Evidence and Create a Report of the © ITT Educational Services Page 5  I have created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation. Findings

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: