SlideShare a Scribd company logo

CF601_Assignment2_Martins_15527769

Pedro Martins
Pedro Martins
1 of 22
Download to read offline
Curtin University of Technology - CBS | Introduction 1 Computer Forensics Report Process Framework and Procedural Manual for Excellor Pty Ltd. 2012 Pedro Martins - 15527769 Curtin University of Technology - CBS 4/27/2012 ABSTRACT: The following report proposes a comprehensive process framework, guidelines and procedures that Excellor should consider for applying within its operations and business. It highlights main aspects and considerations that the company should be aware of when restructuring its polices and procedures for managing digital evidences categorised as “secure classified information transmissions” and “operational duties” conducted using smart phone and social media tools and applications.
Curtin Business School SCHOOL OF INFORMATION SYSTEMS Cover Sheet – BIC601 Assignment 1 Semester 1, 2012 Name Pedro Martins 15527769 given names surname/family name Student ID No Unit Name Computer Forensics 601 (CF601) (in full) Name of Tutor Dr Collin James Armstrong Day & Time of Tutorial Friday,9:00 am Assignment Number and/or Name CF601 Assignment 1 Due Date 4th May, 2012 5PM Date Submitted 4th March 2012 If the given name by which your tutor knows you differs from your name on University records, you should indicate BOTH names above. Your assignment should meet the following requirements. Please confirm this (by ticking boxes) before submitting your assignment.  Assignment is presented on A4 size paper and is neatly collated  Above details are fully completed and legible  Pages have been firmly stapled  A copy and backup of disk(s) has been retained by me  Diskette is included, if appropriate  Declaration below is complete All forms of plagiarism, cheating and unauthorised collusion are regarded seriously by the University and could result in penalties including failure in the course and possible exclusion from the University. If you are in doubt, please contact your lecturer or the Course Coordinator. Declaration Except where I have indicated, the work I am submitting in this assignment is my own work and has not been submitted for assessment in another unit or course Signature of Student OFFICE USE ONLY Date Received Marked By Date Marked Marks/Grades
Table of Contents 1. Introduction ....................................................................................................................................1 2. Excellor Forensic Policy Considerations..........................................................................................2 3. Process Framework.........................................................................................................................2 3.1. Preparation Phase...................................................................................................................4 3.2. Incident Response Phase ........................................................................................................5 3.3. Data Collection Phase .............................................................................................................5 i. Establish where all sought evidences can be found ...............................................................5 ii. Create Order of Volatility........................................................................................................5 iii. Collect the Evidence................................................................................................................6 iv. Find Relevant Evidence.........................................................................................................10 v. Document Everything ...........................................................................................................10 3.4. Data Analysis Phase ..............................................................................................................10 3.5. Findings Presentation Phase.................................................................................................10 3.6. Incident Closure Phase..........................................................................................................10 4. Guidelines and Procedures ...........................................................................................................10 4.1. Procedural Manual................................................................................................................11 5. Recommendations........................................................................................................................13 6. References ....................................................................................................................................14 APPENDIX B – Anonymized Social Interaction Graph using Picture Tags........................................16 APPENDIX C - Anonymized Example Timeline for 24-hour period..................................................17 APPENDIX C – FireSheep Graphic User Interface .............................................................................18
Table of Figures Figure 1 - The three components for managing Digital Evidence………………………………….......................3 Figure 2- ProDF layers………………………………………………………………………………………………………………………..3 Figure 3- Unique Incident Investigation…………………………………………………………………………………………….4 Figure 4 - Social Interaction Graph using Direct Messages…………………………………………………………………7 Figure 5 - Anonymized Social Interconnection Graph using Picture Tags……………………………………………8 Figure 6 - Anonymized Example Timeline for 24-hour period. …………………………………………………………..8 Figure 7 – Twitter metadata.…………………………………………………………………………………..…………………………9 Figure 8 - Facebook metadata. .………………………………………………………………………………………………………...9
1 Introduction | Curtin University of Technology - CBS 1. Introduction In light of the increasing number of cyber-attacks occurred in the year of 2011 (e.g. Anonymous, HB Gary, Sony, and Wikileaks), Excellor Pty Ltd. has contracted the services of a forensic expert to elaborate and propose aspects such as, process framework for managing digital evidences, considerations for developing a procedural manual, considerations for developing the company’s policy, guidelines and procedures towards Forensics’ activities, and more. However, the current growing usage of smartphones (e.g. iPhone) and social networks (such as Facebook, LinkedIn, etc.) have been a major concern in computer Forensics, since it became another communication channel that links the internal environment of a company to the outside world. What is more, the significant increasing of various functionalities added to smartphones result in many challenges to a forensic investigator, since they are constantly changing its Operational Systems (Adams 2010). Current smartphones are capable of storing a large volume of data and, therefore, they became one of the main targets for collecting relevant digital evidence1 while conducting an investigation. Data frequently found on smartphones are:  Application Data  Call History  eBooks  Maps Email  Photos  Text Messaging  Video  Web History  Audio After digital evidences are collected and analysed, they can be used throughout many different departments within an organisation for various reasons. For example, the Human Resources department might need evidence to confirm misbehaviour of a staff member. Similarly, auditors and managers can use data evidence to prove dishonest transactions and to monitor and control if data flow is in accordance to governance regulations, respectively (CP Grobler & CP Louwrens 2010). The following report has the purpose of assisting and instructing Excellor’s senior management, such as the Chief Officer and Chief Executive Officer, on taking specifics measures in the occurrence of misuse of company’s data categorised as “classified” on corporate smartphone devices and social media. Furthermore, this document serves as a guide relating important activities that must be considered in case of inappropriate use of company’s data. Hence, the facts researched and discussed in this document will assist relevant parts on managing digital evidences and take effective and efficient actions, helping Excellor to minimise the effects caused by any internal or external digital incident2 that significantly affects the company’s business. 1 For the purpose of this assignment, it is considered digital evidence all corporate data that is categorised as “secure classified information transmissions” and “operational duties” conducted using smartphones, social media tools and applications.
2 Excellor Forensic Policy Considerations | Curtin University of Technology - CBS 2. Excellor Forensic Policy Considerations All major forensic concerns present in the company’s policies should be addressed in clear statements which will help authorised personnel to monitor systems and networks, in order to take immediately measures in response to an incident (Kent, et al. 2006). Any sort of investigation should be kept confidential, especially when dealing with staff members of a business environment, unless case is taken to court. If case details are spread throughout the company or any unrelated part, the investigation loses its credibility and leads Excellor to violate contractual agreements made between the company and the employee (Nelson, Phillips and Steuart 2010). Although technology can be used for many beneficial reasons, it can also be accidentally or intentionally misused for giving unauthorised access to corporate data and information, modifying, destroying or stealing information, including digital evidence of an incident. Hence, in order to ensure that the forensic tools are used appropriately, it is a sound strategy to specify within Excellor’s policy which forensic actions should and should not be performed for different types of incident. In short, Excellor’s Forensic Policies should consider, but not be limited to:  Outline the roles and responsibilities of all stakeholders (internal and external) involved in the organization’s forensic activities and clearly indicate who should be assigned for which type of event.  Give explanation about what forensic procedures should and should not be executed during normal and special conditions. Not only that, it should address the use of anti-forensic tools and techniques.  Entitle authorised people to carry out investigation of corporate issued smartphones for justifiable reasons, under the appropriate conditions.  Implementation of forensic concerns when planning and developing information system life cycle, possibly leading to a more efficient and effective management of different types of incidents.  Storage of data collected by forensics tools does not violate the company’s privacy or data custody policies.  Monitoring of networks and informative messages on systems that communicate to users that activity might be monitored. The policies should consider reasonable expectations of user privacy. 3. Process Framework In the occurrence of a cyber-crime within Excellor environment, it is important to follow a process framework that gives investigators an appropriate approach to respond to the incident. Therefore, it was identified two types of existents framework which can be applied into Excellor’s business for managing Digital Forensics (DF) evidence. According to Grobler et al. (2010), a company should be aware and prepare itself from possible cyber-attacks, and take the appropriate measures to either avoid or minimise the damages caused within its business. Therefore, the authors have identified three different components that should work together, and not in isolation. They are: Proactive, Active and Reactive DF. 2 It is considered an incident the misuse of any corporate data, leading to violation of company’s regulations and State laws (e.g. criminal, civil and statute).
3 Process Framework | Curtin University of Technology - CBS  Proactive DF (ProDF) relates to any measures that a company can take to foresee or prevent digital incidents by ensuring that it possesses enough technology, processes and procedures capable of minimising disruption if business in the event of a digital crime.  Active or ‘live’ DF (ActDF) is the capability of an organisation to collect relevant and live comprehensive digital evidence in order to minimise the effect of the incident during an ongoing incident.  Reactive or ‘dead’ (ReDF) is the stage in which a company implements its analytical and investigative techniques in order to preserve, identify, extract, document, analyse, and interpret the digital evidences. The following graphic simply correlates the three components and when they should be applied. Figure 1 - The three components for managing Digital Evidence (Grobler, Louwrens and Solms 2010) Furthermore, there are some critical factors to be considered when adopting proactive measures against potential digital incidents. Excellor’s policies, processes, technologies and people are the foundation for effective business governance, which must be in accordance to the local laws and regulations. The figure below is an illustration of sub-components that must be considered when adopting Proactive DF measures within Excellor and self-explains what each sub-component involves. Figure 2- ProDF layers (Grobler, Louwrens and Solms 2010)
4 Process Framework | Curtin University of Technology - CBS The following framework displays a detailed order of processes and activities that should be undertaken in case of a digital crime. When analysing the next graphic, it is possible to notice that each process output serves as an input to the next one, thus creating a pattern when responding to incidents. This process framework is based on the proposal concept of Nicole Beebe and Jan Clark (2005). In comparison to other existing models, none of them provided sufficient details to enable all members of the digital forensics to take efficient measures in response to digital incidents (Beebe and Clark 2005). Hence, this model is an extension of the one proposed by the authors Grobler, Louwrens and Solms (2010) and presents the most suitable framework to be incorporated within Excellor's information security environment. Figure 3- Unique Incident Investigation (Beebe and Clark 2005) 3.1. Preparation Phase This phase contains proactive measures that Excellor should perform to minimise damages in the occurrence of cyber-attacks. According to Tcek et al. (2010), every company should adapt its systems (whether is computerised or not) to collect and preserve potential digital evidence in a structured way. Additionally, during the Preparation phase some activities (related later in this document) should be executed in order to maximize digital evidence availability in support of investigation and prosecution, associated to computer security incidents. Different cases have distinct characteristics, and, therefore, Preparation Phase might vary according to each individual scenario, though following a common pattern. Nevertheless, there are tools that can be used in order to control users’ access to social media within Excellor’s premises. For example, FireSheep (http://codebutler.com/firesheep) is a free open source software capable of capturing any insecure website known to the program, including social media. So as soon as someone visits these types of websites the name and photo are displayed. Appendix D shows snapshots of the software interface. However, before adopting any similar measure, it is crucial to create a new policy that permits Excellor’s authorities to execute this action.
5 Process Framework | Curtin University of Technology - CBS 3.2. Incident Response Phase The phase basically consists of detecting and initiating a pre-investigation response to a computer or mobile device that is suspected for being involved in an incident, such as data theft, uploading or downloading inappropriate/illegal contents from the Internet, breach of computer security, and so on. 3.3. Data Collection Phase Although information and data of a given incident is gathered during the Incident Response Phase, Data Collection has the purpose of collecting digital evidence that will support the response and investigative plan. When managing evidence, it is important to have in mind that not all information will be evidence, and that evidence must be identified proactively. It is considered digital evidence, the information that is:  Admissible Must contain information that is reasonable enough to be used in court.  Authentic An evidence is connected to the investigated incident.  Complete Exculpatory evidence for alternative suspects.  Reliable The authenticity and veracity of evidence must be indubitable.  Believable Clear, easy to understand, and believable by a jury. There are a series of steps that should be undertaken when collecting digital evidence: i. Establish where all sought evidences can be found Prior to responding to any incident, a trained team should be structured and acknowledged of all available facts, plans and objectives in order to carry out the plan for collecting and analysing data. So, assigning trained investigators for gathering data helps to collect crucial evidences for an incident, which is also known as Comprehensive Digital Evidence (CDE) (CP Grobler & CP Louwrens 2010). In other words, the team will be able to collect relevant and sufficient information determining the origins of the incident, linking the perpetrator to the event. ii. Create Order of Volatility Taking into consideration that digital evidence is volatile and, therefore, it can be easily lost and corrupted, it is reasonable to assume that data collection must be rapidly done, in order to acquire more accurately information about the evidence. Delayed responses might result in the loss of crucial information for the case (Nelson, Phillips and Steuart 2010). Therefore, it should be created a plan to decide the most effective way of gathering data, determining what and where to collect evidence from.
6 Process Framework | Curtin University of Technology - CBS iii. Collect the Evidence With the purpose of capturing volatile evidences, if an incident is discovered, it is crucial that the suspect computer or mobile device stay connected to the network and must not be rebooted, until relevant data is captured. Hence, unplugging the computer from the network or not keeping the mobile device powered up may spoil the investigation, since critical volatile data will be destroyed. Throughout this stage, the investigation team must collect as much evidence as they possibly can and get it at the first time they see it. In some cases, volatile data (those that are kept in memory, such as running process, network connections, clipboard contents) might be lost due to delay on the incident response or unprofessional execution of this process. The following tools are usually used to provide important data for assisting on forensics’ investigations, mainly in desktops and/or laptops. However, those same tools can only be applied in smartphones if they are connected to the company’s network and, consequently, they will behave and work as a regular computer. Hence, Excellor can make use of various sources in order to collect the maximum amount of relevant digital evidence for possible incidents, such as: - Command - Netstat - Psloglist - Netcat - Pslist - Netusers - Net (user, session) - Pulist - ListDLLs - Handle - Tlist - Tasklist - PS - IPConfig - NBTStat - Fport - Openports - DOSKEY - GPList - Time - Date - Route Many of the tools listed above contain similar information types (such as IP address, MAC address, tasks performed by a computer or connected smartphone, ports used between source and destination machines, websites recently visited, processes and their identification number, date and time of various operations, and more). Yet, each one provides specific detailed information that the other one lacks. One of the biggest constraints that forensics face with mobile phones is the capacity of being used anywhere else besides the company’s premises. Although it is possible for investigators to collect information in smartphones that is leaked via text messages, upload/download of files, or social networks, it might be an extremely hard task to detect and gather suspicious activities if information is sent via a phone call. Therefore, despite calling history is recorded in the device, the contents of a conversation becomes difficult to track, unless the phone is tapped. As for social media, when searching for digital evidence, it becomes even more complicated since information is stored at the social network’s operator and cannot be found on the suspect’s computer’s hard drive.
7 Process Framework | Curtin University of Technology - CBS So there are different procedures that can be done in order to collect data from social networks. Acquire the server’s hard drives is one, although it is not feasible in most cases. Another alternative is to contact the social media operator for sending crucial data to the investigator. However, this measure contradicts the rules for evidence gathering due to the investigator’s inability of proving that the evidence is complete, reliable and authentic (Mulazzani, Huber and Weippl 2011). Hence, those two options should be discarded at first, and data gathering should be relied mainly on the investigation capacities of the forensics examiner. According to Mulazzani, Huber and Weippl (2011), even though social medias have distinct features and architectures, there are commun data sources that can provide forensic investigators with crucial information on those type of medias, as follow:  The social footprint: relate the user’s social circle and relationships, defining who he/she is connected to and what are his/her interests.  Communications pattern: establish the methods in which the media is used to communicate, how it is used, and who is the user communicating to. So, in order to graphically present this information, it is possible to apply the Social Interaction Graph using Direct Messages (Mulazzani, Huber and Weippl 2011), as shown in Figure 4 (please refer to Appendix A for figure in larger scale). Figure 4 - Social Interaction Graph using Direct Messages (Mulazzani, Huber and Weippl 2011).  Pictures and videos: define what pictures and videos have the user uploaded to the social network and those that he/ahe was tagged on other people’s picture. So, as shown in Figure 5, the “Anonymized Social InteractionAnonymised Social Interconnection Graph using Picture Tags” (Mulazzani, Huber and Weippl 2011) can be applied, in order to track the suspects closest connections (please refer to Appendix B for figure in larger scale). The graph is created using the following steps: i. Starting from the suspect account, it is gathered all the pictures from all suspect’s “friends”. ii. It is ignored those who are tagged in the pictures and are not in the suspect’s “friend” list. iii. If the tagged person is also the suspect’s “friend”, then an edge is added between the two nodes, pointing from the profile that uploaded the picture to the profile that was tagged.
8 Process Framework | Curtin University of Technology - CBS Figure 5 - Anonymized Social InteractionAnonymised Social Interconnection Graph using Picture Tags (Mulazzani, Huber and Weippl 2011).  Times of activity: identify the time when a specific user has joined or connected to the social media and when exaclty an unique activity took place. Therefore, a timeline is a reasonable strategy to be adoptded, giving a chronological order to the events, as suggested by Mulazzani, Huber and Weippl (2011). Figure 6 is an example of the timeline (please refer to Appendix C for figure in larger scale). Figure 6 - Anonymized Example Timeline for 24-hour period (Mulazzani, Huber and Weippl 2011).  Apps: define and make a list of the apps that the user may be making use of, and the purpose for using them. As stated by Patzakis (2012), it is possible to extract relevant data from each user. This can be achieved by using metadata fields, which contain important infomation to establish authenticity of the data collected. The two figures below relate useful tools for gathering relevant information on Twitter and Facebook, as an example of social medias.
9 Process Framework | Curtin University of Technology - CBS Figure 7 – Twitter metadata (Patzakis 2012). Figure 8 - Facebook metadata (Patzakis 2012).
10 Guidelines and Procedures | Curtin University of Technology - CBS iv. Find Relevant Evidence Organise the findings and identify the ones that are relevant to the investigation. Hence, investigators should be capable of recognizing and filtering which piece of information is relevant to a given case. v. Document Everything In order to keep reliable records and integrity of the collected information, every finding should own a hashed value, timestamps, signed statements, digital signatures, witness statements, etc. 3.4. Data Analysis Phase This phase aims to structure and give a meaning of the data collected in the previous phase. It is usually the most complex and time consuming stage, since every relevant evidence extracted is analysed and reconstructed in an organised way, in order to confirm or refute allegations of suspicious activities. 3.5. Findings Presentation Phase After data have been analysed, it is important to bear in mind the different types of audience that the analysis report will be presented to. Therefore, a report should communicate relevant findings accordingly to the level of computer literacy of its audience, whether it is addressed to managers, technical personnel, legal personnel, or law enforcement professionals. Additionally, the presentation(s) can be written, oral or a combination of both. It attempts to provide a brief and detailed reconstruction of the facts analysed during the Data Analysis Phase. 3.6. Incident Closure Phase As the name suggests, during this phase the investigation must be closed out and actions should be taken upon any decisions related to it. Not only that, any new knowledge gained with a case should be preserved for being used as future reference. 4. Guidelines and Procedures Given that electronic records and data can be easily changed and altered, it is important that Excellor specifies guidelines and procedures that facilitate further forensic actions towards incidents that may lead to prosecution or internal disciplinary measures. It is important that Excellor’s forensic guidelines and procedures are consistent with its policies and other applicable laws. In order to outline the guidelines and procedures at the upmost level of quality, Excellor should include technical experts and legal advisors during its development. Additionally, the participation of managers is also relevant since they can determine whether the guidelines and procedures proposed are aligned with the company’s requirements, goals and objectives. Moreover, taking into consideration that each incident requires different methods for handling it, developing complete guidelines and procedures to every possible situation is not usually practicable. Therefore, organisations should develop a procedure manual for carrying out all routine activities in
11 Guidelines and Procedures | Curtin University of Technology - CBS PREPARATION PHASE the protection, collection, examination and analysis, and reporting of digital evidence found on smartphones and social media. The document should be developed in a forensically sound manner, suitable for legal prosecution or disciplinary actions. It is crucial that the guidelines and procedures support the admissibility of digital evidence into legal measures, including:  seizing and handling evidence correctly;  managing the chain of custody;  storing the digital evidence appropriately;  establishing and preserving the genuineness of forensic tools and equipment;  capability of demonstrating the authenticity of any electronic records, case files, and logs. Excellor should constantly be aware of significant changes in smartphone technology, and social media functionalities and architectures that might affect the company’s guidelines and procedures. 4.1. Procedural Manual The company’s procedural manual has the purpose of describing the procedures and policies in which Excellor’s employees and managers need to carry out in the occurrence of a digital incident. The manual has been developed from concepts and definitions in the process framework proposed in this document. This topic consists of outlining a series of activities from each of the phases previously mentioned, in order to avoid/minimise and control the effects caused by the incident.  Risk assessment related to Excellor’s vulnerabilities, loss/exposure, threats, weaknesses, etc.  Build up an Incident Response Plan, including staff assignments, procedures, policies and regulations.  Develop a document relating the company’s technical capabilities (e.g. response toolkits).  Train a satisfactory number of staff to conduct investigation in the occurrence of a digital incident.  Define and document the company’s standards for handling and preserving evidence integrity.  Identify unauthorised or suspicious activities executed by Excellor’s staff members.  Report identified or suspected unauthorised activity to the CIO or CEO, depending on the circumstances.  Confirm the incident.  Develop a suitable plan to control, eliminate, recover, and investigate digital evidence, taking into account business’ technical, political, and legal factors.  Prepare the Investigation Plan for data collection and analysis. INCIDENT RESPONSE PHASE FOUNDATION FOR EXCELLOR’S PROCEDURAL MANUAL ACTIVITIES
12 Guidelines and Procedures | Curtin University of Technology - CBS  Conclude data gathering which began during the Incident Response Phase.  Acquire network-based incriminating evidence from applicable sources, such as log servers, firewalls, routers, intrusion detection systems, etc.  Obtain host-based evidence from relevant sources, such as system date/time information, volatile data, storage drives, etc.  Acquire removable media evidence from suspect computer, such as CD-ROMs, USB devices, and so on.  Collect information present on social media used by suspect, searching throughout the five common data sources beforehand mentioned.  Create hash keys to ensure the integrity and authenticity of the digital evidence.  Ensure that people accountable for packaging, transporting and storing the digital evidence have signed off relevant documentation acknowledging their “Dos and Don’ts”.  Summarize large amount of data collected throughout Data Collection and elaborate an analysis report for helping investigators to better understand relevant evidences.  Assess analysis report and search for relevant information that is relevant to the case.  Study, analyse, and reconstruct the data to respond to crucial investigative inquiries.  Assess the audience, which material will be presented to.  Determine most effective way to communicate to the respective audience.  Summarize relevant findings.  Prepare and present the findings.  Oversee the entire investigation and document a critical review and lessons learned with it.  Take decisions based on the results of the findings presentation, and act upon them.  Evidence disposal (e.g. destroy, return to owner).  Collect and protect all information linked to the incident. It is relevant to mention that the activities above can be executed in a sequential and/or iterated manner, though they should always respect the order in the graphic proposed by Nicole Beebe and Jan Clark (2005). DATA COLLECTION PHASE DATA ANALYSIS PHASE FINDINGS PRESENTATION PHASE INCIDENT CLOSURE PHASE SE
13 Recommendations | Curtin University of Technology - CBS 5. Recommendations After doing an in depth research about the various types of methods applied to manage forensics activities, it is recommended to use a combination of both frameworks previously proposed. They can be adapted to complement each other due to their different approaches. It can be seen then that, the framework developed by Grobler et al. (2010) relates how the company should react towards an incident, depending whether the incident is happening or not. This structure acknowledges that the company (in this case Excellor) should be aware and prepare itself for the occurrence of any potential incident. Moreover, it breakdown and displays how evidences and incidents are related to Excellor’s governance and policies, showing that the former should proactively be considered when outlining the company’s policies. However, this framework lacks in defining procedures that a company should follow for responding to an incident. Consequently, the framework proposed by Nicole Beebe and Jan Clark (2005) should be implemented within Excellor's operations, since it aims to provide a more effective approach when responding to a given incident. The six interrelated phases provides to the company a series of interrelated activities to be carried out, in case of a cyber-incident. Not only that, it ensures iteration between the phases, maximising the results obtained during management of digital evidence. Capture digital evidences prior to compromising the company’s operations is considered a major priority and should be adopted and included within Excellor’s policies. Therefore, acting proactively can help Excellor to achieve two main goals (Trcek, et al. 2010): i. Minimise costs when responding to incidents ii. Maximise the company’s capability of collecting digital evidence For that reason, Excellor should be constantly managing corporate data and gathering potential evidence, such as telephone records, log files, e-mails, and network traffic records, prior to involvement in an investigation (Trcek, et al. 2010). With the intention of doing frequent monitoring of data traffic, Excellor can make use of appropriate software - such as WireShark and/or FireSheep - in order to monitor data flow within its network. Consequently, it will maximise the probability of capturing suspicious behaviour from computers in that same network and, thereafter, take the appropriate actions. In regards to the company’s policies, it is crucial that top managers and relevant parts include clauses that allow frequent monitoring of any device issued by the organisation and employees’ behaviour towards social media. In accordance, the implementation of those new policies will allow management to guide operations without constant interventions, since they significantly help to align the company’s goals to its objectives. Hence, it is believed that if all the appropriate measures and actions related in this document are applied within Excellor’s business, it is more likely that the company will not have to interrupt its operations, due to planning solutions and counter-action against cyber-attacks or any other digital occurrence.
14 References | Curtin University of Technology - CBS 6. References Adams, Rob. Articles: Challenges of Smart Phone Forensics. 2010. http://www.forensicfocus.com/challenges-of-smart-phone-forensics (accessed May 1, 2012). American Academy - Forensic Sciences. “Policy and Procedure Manual.” The American Academy of Forensic Sciences, 2011: 1-195. Beebe, Nicole Lang, and Jan Guynes Clark. “A hierarchical, objectives-based framework.” Elsevier, 2005: 21. Cohen, Frederick B. Fundamentals of Digital forensic Evidence. Professional Report, California: California Sciences Institute, 2008. CP Grobler & CP Louwrens. Digital Evidence Management Plan. Johannesburg: University of Johannesburg & Nedbank, 2010. Grobler, CP, CP Louwrens, and SH Solms. “A framework to guide the implementation of Proactice Forensics in Organizations.” International Conference, 2010: 6. Kent, Karen, Suzanne Chevalier, Tim Grance, and Hung Dang. “Guide to Integrating Forensic Techniques into Incident Response.” U.S. Department of Comemrce, 2006: 1-121. Mulazzani, Martin, Markus Huber, and Edgar Weippl. Social Network Forensics: Tapping the Data Pool of Social Networks. Professional Research, Sba-Research.org, 2011. Nelson, Bill, Amelia Phillips, and Christopher Steuart. Guide to Computer Forensics and Investigations. Boston: Course Technology, Cengage Learning, 2010. Patzakis, John. Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware of. Professional Report, Forensic Focus, 2012. Rogers, Marcus K. Cyber Forensics: Evidence Collection, Management and Handling. Indiana, 5 March 2009. Security Transcends Technology. Cyber Forensics: Evidence Collection, Management and Handling. San Antonio, 5 March 2009. Trcek, Denis, Habtamu Abie, Asmund Skomedal, and Iztoc Stark. “Advanced Framework for Digital Forensic Technologies and Procedures.” Journal of Forensic Sciences 55 (November 2010): 1471-1479.
15 References | Curtin University of Technology - CBS APPENDIX A - Social Interaction Graph using Direct Message
16 APPENDIX B – Anonymized Social Interaction Graph using Picture Tags | Curtin University of Technology - CBS APPENDIX B – Anonymized Social Interaction Graph using Picture Tags
17 APPENDIX C - Anonymized Example Timeline for 24-hour period | Curtin University of Technology - CBS APPENDIX C - Anonymized Example Timeline for 24-hour period
18 APPENDIX D – FireSheep Graphic User Interface | Curtin University of Technology - CBS APPENDIX D – FireSheep Graphic User Interface

Recommended

Modelling turn away intention of information technology professionals in Bang...
Modelling turn away intention of information technology professionals in Bang...Modelling turn away intention of information technology professionals in Bang...
Modelling turn away intention of information technology professionals in Bang...IJECEIAES
 
The need for IT to get in front of the BYOD (Bring Your Own Device) problem
The need for IT to get in front of the BYOD (Bring Your Own Device) problemThe need for IT to get in front of the BYOD (Bring Your Own Device) problem
The need for IT to get in front of the BYOD (Bring Your Own Device) problemIron Mountain
 
SAFARICOM REPORT
SAFARICOM REPORTSAFARICOM REPORT
SAFARICOM REPORTjimmy mutoro
 
High technology entrepreneurs and the patent system. 2008 Berkeley
High technology entrepreneurs and the patent system. 2008 BerkeleyHigh technology entrepreneurs and the patent system. 2008 Berkeley
High technology entrepreneurs and the patent system. 2008 BerkeleyDmitry Tseitlin
 
Internship report
Internship report Internship report
Internship report KUMARESAAN SIVA
 
ITM assignment
ITM assignmentITM assignment
ITM assignmentgcd, dublin, ireland
 
LAW 531 Effective Communication - snaptutorial.com
LAW 531 Effective Communication - snaptutorial.comLAW 531 Effective Communication - snaptutorial.com
LAW 531 Effective Communication - snaptutorial.comdonaldzs23
 
LAW 531 TUTOR Education Counseling--law531tutor.com
LAW 531 TUTOR Education Counseling--law531tutor.comLAW 531 TUTOR Education Counseling--law531tutor.com
LAW 531 TUTOR Education Counseling--law531tutor.comKeatonJennings88
 

Recommended

Modelling turn away intention of information technology professionals in Bang...
Modelling turn away intention of information technology professionals in Bang...Modelling turn away intention of information technology professionals in Bang...
Modelling turn away intention of information technology professionals in Bang...IJECEIAES
 
The need for IT to get in front of the BYOD (Bring Your Own Device) problem
The need for IT to get in front of the BYOD (Bring Your Own Device) problemThe need for IT to get in front of the BYOD (Bring Your Own Device) problem
The need for IT to get in front of the BYOD (Bring Your Own Device) problemIron Mountain
 
SAFARICOM REPORT
SAFARICOM REPORTSAFARICOM REPORT
SAFARICOM REPORTjimmy mutoro
 
High technology entrepreneurs and the patent system. 2008 Berkeley
High technology entrepreneurs and the patent system. 2008 BerkeleyHigh technology entrepreneurs and the patent system. 2008 Berkeley
High technology entrepreneurs and the patent system. 2008 BerkeleyDmitry Tseitlin
 
Internship report
Internship report Internship report
Internship report KUMARESAAN SIVA
 
ITM assignment
ITM assignmentITM assignment
ITM assignmentgcd, dublin, ireland
 
LAW 531 Effective Communication - snaptutorial.com
LAW 531 Effective Communication - snaptutorial.comLAW 531 Effective Communication - snaptutorial.com
LAW 531 Effective Communication - snaptutorial.comdonaldzs23
 
LAW 531 TUTOR Education Counseling--law531tutor.com
LAW 531 TUTOR Education Counseling--law531tutor.comLAW 531 TUTOR Education Counseling--law531tutor.com
LAW 531 TUTOR Education Counseling--law531tutor.comKeatonJennings88
 
The Workplace Engagement Economy Where HR, Social, Mobile, and Tech Collide
The Workplace Engagement Economy Where HR, Social, Mobile, and Tech CollideThe Workplace Engagement Economy Where HR, Social, Mobile, and Tech Collide
The Workplace Engagement Economy Where HR, Social, Mobile, and Tech CollideJessica Miller-Merrell
 
Oracle 10 g Good one
Oracle 10 g Good oneOracle 10 g Good one
Oracle 10 g Good oneSantanu Mahankud
 
The 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global InformationThe 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global Informationjtfoster
 
LAW 531 MART Education Counseling--law531mart.com
LAW 531 MART Education Counseling--law531mart.comLAW 531 MART Education Counseling--law531mart.com
LAW 531 MART Education Counseling--law531mart.comKeatonJennings88
 
The HR Technology Selection Guide
The HR Technology Selection GuideThe HR Technology Selection Guide
The HR Technology Selection GuideJessica Miller-Merrell
 
A web based applicants’ matching system (wbams)
A web based applicants’ matching system (wbams)A web based applicants’ matching system (wbams)
A web based applicants’ matching system (wbams)Alexander Decker
 
Master\'s Thesis
Master\'s ThesisMaster\'s Thesis
Master\'s Thesistaco_dols
 
Case study 7
Case study 7Case study 7
Case study 7khaled alsaeh
 
30120245 iqbal pinjari_assign
30120245 iqbal pinjari_assign30120245 iqbal pinjari_assign
30120245 iqbal pinjari_assignikqs
 
Information Security Policies
Information Security PoliciesInformation Security Policies
Information Security PoliciesLaura Martin
 
Software Paper – ACCT 422Auditors use electronic software prog.docx
Software Paper – ACCT 422Auditors use electronic software prog.docxSoftware Paper – ACCT 422Auditors use electronic software prog.docx
Software Paper – ACCT 422Auditors use electronic software prog.docxwhitneyleman54422
 
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloWk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloJohn Intindolo
 
Research Paper On Selenium
Research Paper On SeleniumResearch Paper On Selenium
Research Paper On SeleniumAnn Johnson
 
Read and analyze the attached case. You must discuss the case and ho.pdf
Read and analyze the attached case. You must discuss the case and ho.pdfRead and analyze the attached case. You must discuss the case and ho.pdf
Read and analyze the attached case. You must discuss the case and ho.pdfinfo324235
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Going mobile with enterprise application
Going mobile with enterprise applicationGoing mobile with enterprise application
Going mobile with enterprise applicationMuzayun Mukhtar
 
Final ERP Paper 05-01-2016
Final ERP Paper 05-01-2016Final ERP Paper 05-01-2016
Final ERP Paper 05-01-2016Mark Catalano, MBA
 
Enhancing Employee Productivity and Qualtiy of Life with Big Data
Enhancing Employee Productivity and Qualtiy of Life with Big DataEnhancing Employee Productivity and Qualtiy of Life with Big Data
Enhancing Employee Productivity and Qualtiy of Life with Big DataInnovations2Solutions
 
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEMMIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEMShehanperamuna
 
Why we need strategy for information system and information technology?
Why we need strategy for information system and information technology?Why we need strategy for information system and information technology?
Why we need strategy for information system and information technology?Uva Wellassa University Of Sri Lanka
 
The secrets of learning, training and assessments in regulatory compliance
The secrets of learning, training and assessments in regulatory complianceThe secrets of learning, training and assessments in regulatory compliance
The secrets of learning, training and assessments in regulatory complianceThomas Jenewein
 
B009 2010-iaasb-handbook-iaps-1013
B009 2010-iaasb-handbook-iaps-1013B009 2010-iaasb-handbook-iaps-1013
B009 2010-iaasb-handbook-iaps-1013RS NAVARRO
 

More Related Content

What's hot

The Workplace Engagement Economy Where HR, Social, Mobile, and Tech Collide
The Workplace Engagement Economy Where HR, Social, Mobile, and Tech CollideThe Workplace Engagement Economy Where HR, Social, Mobile, and Tech Collide
The Workplace Engagement Economy Where HR, Social, Mobile, and Tech CollideJessica Miller-Merrell
 
The 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global InformationThe 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global Informationjtfoster
 
LAW 531 MART Education Counseling--law531mart.com
LAW 531 MART Education Counseling--law531mart.comLAW 531 MART Education Counseling--law531mart.com
LAW 531 MART Education Counseling--law531mart.comKeatonJennings88
 
A web based applicants’ matching system (wbams)
A web based applicants’ matching system (wbams)A web based applicants’ matching system (wbams)
A web based applicants’ matching system (wbams)Alexander Decker
 

What's hot (6)

The Workplace Engagement Economy Where HR, Social, Mobile, and Tech Collide
The Workplace Engagement Economy Where HR, Social, Mobile, and Tech CollideThe Workplace Engagement Economy Where HR, Social, Mobile, and Tech Collide
The Workplace Engagement Economy Where HR, Social, Mobile, and Tech Collide
 
Oracle 10 g Good one
Oracle 10 g Good oneOracle 10 g Good one
Oracle 10 g Good one
 
The 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global InformationThe 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global Information
 
LAW 531 MART Education Counseling--law531mart.com
LAW 531 MART Education Counseling--law531mart.comLAW 531 MART Education Counseling--law531mart.com
LAW 531 MART Education Counseling--law531mart.com
 
The HR Technology Selection Guide
The HR Technology Selection GuideThe HR Technology Selection Guide
The HR Technology Selection Guide
 
A web based applicants’ matching system (wbams)
A web based applicants’ matching system (wbams)A web based applicants’ matching system (wbams)
A web based applicants’ matching system (wbams)
 

Similar to CF601_Assignment2_Martins_15527769

Master\'s Thesis
Master\'s ThesisMaster\'s Thesis
Master\'s Thesistaco_dols
 
30120245 iqbal pinjari_assign
30120245 iqbal pinjari_assign30120245 iqbal pinjari_assign
30120245 iqbal pinjari_assignikqs
 
Information Security Policies
Information Security PoliciesInformation Security Policies
Information Security PoliciesLaura Martin
 
Software Paper – ACCT 422Auditors use electronic software prog.docx
Software Paper – ACCT 422Auditors use electronic software prog.docxSoftware Paper – ACCT 422Auditors use electronic software prog.docx
Software Paper – ACCT 422Auditors use electronic software prog.docxwhitneyleman54422
 
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloWk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloJohn Intindolo
 
Research Paper On Selenium
Research Paper On SeleniumResearch Paper On Selenium
Research Paper On SeleniumAnn Johnson
 
Read and analyze the attached case. You must discuss the case and ho.pdf
Read and analyze the attached case. You must discuss the case and ho.pdfRead and analyze the attached case. You must discuss the case and ho.pdf
Read and analyze the attached case. You must discuss the case and ho.pdfinfo324235
 
Going mobile with enterprise application
Going mobile with enterprise applicationGoing mobile with enterprise application
Going mobile with enterprise applicationMuzayun Mukhtar
 
Enhancing Employee Productivity and Qualtiy of Life with Big Data
Enhancing Employee Productivity and Qualtiy of Life with Big DataEnhancing Employee Productivity and Qualtiy of Life with Big Data
Enhancing Employee Productivity and Qualtiy of Life with Big DataInnovations2Solutions
 
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEMMIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEMShehanperamuna
 
Why we need strategy for information system and information technology?
Why we need strategy for information system and information technology?Why we need strategy for information system and information technology?
Why we need strategy for information system and information technology?Uva Wellassa University Of Sri Lanka
 
The secrets of learning, training and assessments in regulatory compliance
The secrets of learning, training and assessments in regulatory complianceThe secrets of learning, training and assessments in regulatory compliance
The secrets of learning, training and assessments in regulatory complianceThomas Jenewein
 
B009 2010-iaasb-handbook-iaps-1013
B009 2010-iaasb-handbook-iaps-1013B009 2010-iaasb-handbook-iaps-1013
B009 2010-iaasb-handbook-iaps-1013RS NAVARRO
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxchristiandean12115
 
Overcome regulatory data retention challenges
Overcome regulatory data retention challengesOvercome regulatory data retention challenges
Overcome regulatory data retention challengesBryant Bell
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemCSCJournals
 

Similar to CF601_Assignment2_Martins_15527769 (20)

Master\'s Thesis
Master\'s ThesisMaster\'s Thesis
Master\'s Thesis
 
Case study 7
Case study 7Case study 7
Case study 7
 
30120245 iqbal pinjari_assign
30120245 iqbal pinjari_assign30120245 iqbal pinjari_assign
30120245 iqbal pinjari_assign
 
Information Security Policies
Information Security PoliciesInformation Security Policies
Information Security Policies
 
Software Paper – ACCT 422Auditors use electronic software prog.docx
Software Paper – ACCT 422Auditors use electronic software prog.docxSoftware Paper – ACCT 422Auditors use electronic software prog.docx
Software Paper – ACCT 422Auditors use electronic software prog.docx
 
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_IntindoloWk 7 Case Study Summary Paper_ISSC331_Intindolo
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
 
Research Paper On Selenium
Research Paper On SeleniumResearch Paper On Selenium
Research Paper On Selenium
 
Read and analyze the attached case. You must discuss the case and ho.pdf
Read and analyze the attached case. You must discuss the case and ho.pdfRead and analyze the attached case. You must discuss the case and ho.pdf
Read and analyze the attached case. You must discuss the case and ho.pdf
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Going mobile with enterprise application
Going mobile with enterprise applicationGoing mobile with enterprise application
Going mobile with enterprise application
 
Final ERP Paper 05-01-2016
Final ERP Paper 05-01-2016Final ERP Paper 05-01-2016
Final ERP Paper 05-01-2016
 
Enhancing Employee Productivity and Qualtiy of Life with Big Data
Enhancing Employee Productivity and Qualtiy of Life with Big DataEnhancing Employee Productivity and Qualtiy of Life with Big Data
Enhancing Employee Productivity and Qualtiy of Life with Big Data
 
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEMMIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
 
Why we need strategy for information system and information technology?
Why we need strategy for information system and information technology?Why we need strategy for information system and information technology?
Why we need strategy for information system and information technology?
 
The secrets of learning, training and assessments in regulatory compliance
The secrets of learning, training and assessments in regulatory complianceThe secrets of learning, training and assessments in regulatory compliance
The secrets of learning, training and assessments in regulatory compliance
 
B009 2010-iaasb-handbook-iaps-1013
B009 2010-iaasb-handbook-iaps-1013B009 2010-iaasb-handbook-iaps-1013
B009 2010-iaasb-handbook-iaps-1013
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docx
 
RiskAssessmentReport
RiskAssessmentReportRiskAssessmentReport
RiskAssessmentReport
 
Overcome regulatory data retention challenges
Overcome regulatory data retention challengesOvercome regulatory data retention challenges
Overcome regulatory data retention challenges
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
 

CF601_Assignment2_Martins_15527769

  • 1. Curtin University of Technology - CBS | Introduction 1 Computer Forensics Report Process Framework and Procedural Manual for Excellor Pty Ltd. 2012 Pedro Martins - 15527769 Curtin University of Technology - CBS 4/27/2012 ABSTRACT: The following report proposes a comprehensive process framework, guidelines and procedures that Excellor should consider for applying within its operations and business. It highlights main aspects and considerations that the company should be aware of when restructuring its polices and procedures for managing digital evidences categorised as “secure classified information transmissions” and “operational duties” conducted using smart phone and social media tools and applications.
  • 2. Curtin Business School SCHOOL OF INFORMATION SYSTEMS Cover Sheet – BIC601 Assignment 1 Semester 1, 2012 Name Pedro Martins 15527769 given names surname/family name Student ID No Unit Name Computer Forensics 601 (CF601) (in full) Name of Tutor Dr Collin James Armstrong Day & Time of Tutorial Friday,9:00 am Assignment Number and/or Name CF601 Assignment 1 Due Date 4th May, 2012 5PM Date Submitted 4th March 2012 If the given name by which your tutor knows you differs from your name on University records, you should indicate BOTH names above. Your assignment should meet the following requirements. Please confirm this (by ticking boxes) before submitting your assignment.  Assignment is presented on A4 size paper and is neatly collated  Above details are fully completed and legible  Pages have been firmly stapled  A copy and backup of disk(s) has been retained by me  Diskette is included, if appropriate  Declaration below is complete All forms of plagiarism, cheating and unauthorised collusion are regarded seriously by the University and could result in penalties including failure in the course and possible exclusion from the University. If you are in doubt, please contact your lecturer or the Course Coordinator. Declaration Except where I have indicated, the work I am submitting in this assignment is my own work and has not been submitted for assessment in another unit or course Signature of Student OFFICE USE ONLY Date Received Marked By Date Marked Marks/Grades
  • 3. Table of Contents 1. Introduction ....................................................................................................................................1 2. Excellor Forensic Policy Considerations..........................................................................................2 3. Process Framework.........................................................................................................................2 3.1. Preparation Phase...................................................................................................................4 3.2. Incident Response Phase ........................................................................................................5 3.3. Data Collection Phase .............................................................................................................5 i. Establish where all sought evidences can be found ...............................................................5 ii. Create Order of Volatility........................................................................................................5 iii. Collect the Evidence................................................................................................................6 iv. Find Relevant Evidence.........................................................................................................10 v. Document Everything ...........................................................................................................10 3.4. Data Analysis Phase ..............................................................................................................10 3.5. Findings Presentation Phase.................................................................................................10 3.6. Incident Closure Phase..........................................................................................................10 4. Guidelines and Procedures ...........................................................................................................10 4.1. Procedural Manual................................................................................................................11 5. Recommendations........................................................................................................................13 6. References ....................................................................................................................................14 APPENDIX B – Anonymized Social Interaction Graph using Picture Tags........................................16 APPENDIX C - Anonymized Example Timeline for 24-hour period..................................................17 APPENDIX C – FireSheep Graphic User Interface .............................................................................18
  • 4. Table of Figures Figure 1 - The three components for managing Digital Evidence………………………………….......................3 Figure 2- ProDF layers………………………………………………………………………………………………………………………..3 Figure 3- Unique Incident Investigation…………………………………………………………………………………………….4 Figure 4 - Social Interaction Graph using Direct Messages…………………………………………………………………7 Figure 5 - Anonymized Social Interconnection Graph using Picture Tags……………………………………………8 Figure 6 - Anonymized Example Timeline for 24-hour period. …………………………………………………………..8 Figure 7 – Twitter metadata.…………………………………………………………………………………..…………………………9 Figure 8 - Facebook metadata. .………………………………………………………………………………………………………...9
  • 5. 1 Introduction | Curtin University of Technology - CBS 1. Introduction In light of the increasing number of cyber-attacks occurred in the year of 2011 (e.g. Anonymous, HB Gary, Sony, and Wikileaks), Excellor Pty Ltd. has contracted the services of a forensic expert to elaborate and propose aspects such as, process framework for managing digital evidences, considerations for developing a procedural manual, considerations for developing the company’s policy, guidelines and procedures towards Forensics’ activities, and more. However, the current growing usage of smartphones (e.g. iPhone) and social networks (such as Facebook, LinkedIn, etc.) have been a major concern in computer Forensics, since it became another communication channel that links the internal environment of a company to the outside world. What is more, the significant increasing of various functionalities added to smartphones result in many challenges to a forensic investigator, since they are constantly changing its Operational Systems (Adams 2010). Current smartphones are capable of storing a large volume of data and, therefore, they became one of the main targets for collecting relevant digital evidence1 while conducting an investigation. Data frequently found on smartphones are:  Application Data  Call History  eBooks  Maps Email  Photos  Text Messaging  Video  Web History  Audio After digital evidences are collected and analysed, they can be used throughout many different departments within an organisation for various reasons. For example, the Human Resources department might need evidence to confirm misbehaviour of a staff member. Similarly, auditors and managers can use data evidence to prove dishonest transactions and to monitor and control if data flow is in accordance to governance regulations, respectively (CP Grobler & CP Louwrens 2010). The following report has the purpose of assisting and instructing Excellor’s senior management, such as the Chief Officer and Chief Executive Officer, on taking specifics measures in the occurrence of misuse of company’s data categorised as “classified” on corporate smartphone devices and social media. Furthermore, this document serves as a guide relating important activities that must be considered in case of inappropriate use of company’s data. Hence, the facts researched and discussed in this document will assist relevant parts on managing digital evidences and take effective and efficient actions, helping Excellor to minimise the effects caused by any internal or external digital incident2 that significantly affects the company’s business. 1 For the purpose of this assignment, it is considered digital evidence all corporate data that is categorised as “secure classified information transmissions” and “operational duties” conducted using smartphones, social media tools and applications.
  • 6. 2 Excellor Forensic Policy Considerations | Curtin University of Technology - CBS 2. Excellor Forensic Policy Considerations All major forensic concerns present in the company’s policies should be addressed in clear statements which will help authorised personnel to monitor systems and networks, in order to take immediately measures in response to an incident (Kent, et al. 2006). Any sort of investigation should be kept confidential, especially when dealing with staff members of a business environment, unless case is taken to court. If case details are spread throughout the company or any unrelated part, the investigation loses its credibility and leads Excellor to violate contractual agreements made between the company and the employee (Nelson, Phillips and Steuart 2010). Although technology can be used for many beneficial reasons, it can also be accidentally or intentionally misused for giving unauthorised access to corporate data and information, modifying, destroying or stealing information, including digital evidence of an incident. Hence, in order to ensure that the forensic tools are used appropriately, it is a sound strategy to specify within Excellor’s policy which forensic actions should and should not be performed for different types of incident. In short, Excellor’s Forensic Policies should consider, but not be limited to:  Outline the roles and responsibilities of all stakeholders (internal and external) involved in the organization’s forensic activities and clearly indicate who should be assigned for which type of event.  Give explanation about what forensic procedures should and should not be executed during normal and special conditions. Not only that, it should address the use of anti-forensic tools and techniques.  Entitle authorised people to carry out investigation of corporate issued smartphones for justifiable reasons, under the appropriate conditions.  Implementation of forensic concerns when planning and developing information system life cycle, possibly leading to a more efficient and effective management of different types of incidents.  Storage of data collected by forensics tools does not violate the company’s privacy or data custody policies.  Monitoring of networks and informative messages on systems that communicate to users that activity might be monitored. The policies should consider reasonable expectations of user privacy. 3. Process Framework In the occurrence of a cyber-crime within Excellor environment, it is important to follow a process framework that gives investigators an appropriate approach to respond to the incident. Therefore, it was identified two types of existents framework which can be applied into Excellor’s business for managing Digital Forensics (DF) evidence. According to Grobler et al. (2010), a company should be aware and prepare itself from possible cyber-attacks, and take the appropriate measures to either avoid or minimise the damages caused within its business. Therefore, the authors have identified three different components that should work together, and not in isolation. They are: Proactive, Active and Reactive DF. 2 It is considered an incident the misuse of any corporate data, leading to violation of company’s regulations and State laws (e.g. criminal, civil and statute).
  • 7. 3 Process Framework | Curtin University of Technology - CBS  Proactive DF (ProDF) relates to any measures that a company can take to foresee or prevent digital incidents by ensuring that it possesses enough technology, processes and procedures capable of minimising disruption if business in the event of a digital crime.  Active or ‘live’ DF (ActDF) is the capability of an organisation to collect relevant and live comprehensive digital evidence in order to minimise the effect of the incident during an ongoing incident.  Reactive or ‘dead’ (ReDF) is the stage in which a company implements its analytical and investigative techniques in order to preserve, identify, extract, document, analyse, and interpret the digital evidences. The following graphic simply correlates the three components and when they should be applied. Figure 1 - The three components for managing Digital Evidence (Grobler, Louwrens and Solms 2010) Furthermore, there are some critical factors to be considered when adopting proactive measures against potential digital incidents. Excellor’s policies, processes, technologies and people are the foundation for effective business governance, which must be in accordance to the local laws and regulations. The figure below is an illustration of sub-components that must be considered when adopting Proactive DF measures within Excellor and self-explains what each sub-component involves. Figure 2- ProDF layers (Grobler, Louwrens and Solms 2010)
  • 8. 4 Process Framework | Curtin University of Technology - CBS The following framework displays a detailed order of processes and activities that should be undertaken in case of a digital crime. When analysing the next graphic, it is possible to notice that each process output serves as an input to the next one, thus creating a pattern when responding to incidents. This process framework is based on the proposal concept of Nicole Beebe and Jan Clark (2005). In comparison to other existing models, none of them provided sufficient details to enable all members of the digital forensics to take efficient measures in response to digital incidents (Beebe and Clark 2005). Hence, this model is an extension of the one proposed by the authors Grobler, Louwrens and Solms (2010) and presents the most suitable framework to be incorporated within Excellor's information security environment. Figure 3- Unique Incident Investigation (Beebe and Clark 2005) 3.1. Preparation Phase This phase contains proactive measures that Excellor should perform to minimise damages in the occurrence of cyber-attacks. According to Tcek et al. (2010), every company should adapt its systems (whether is computerised or not) to collect and preserve potential digital evidence in a structured way. Additionally, during the Preparation phase some activities (related later in this document) should be executed in order to maximize digital evidence availability in support of investigation and prosecution, associated to computer security incidents. Different cases have distinct characteristics, and, therefore, Preparation Phase might vary according to each individual scenario, though following a common pattern. Nevertheless, there are tools that can be used in order to control users’ access to social media within Excellor’s premises. For example, FireSheep (http://codebutler.com/firesheep) is a free open source software capable of capturing any insecure website known to the program, including social media. So as soon as someone visits these types of websites the name and photo are displayed. Appendix D shows snapshots of the software interface. However, before adopting any similar measure, it is crucial to create a new policy that permits Excellor’s authorities to execute this action.
  • 9. 5 Process Framework | Curtin University of Technology - CBS 3.2. Incident Response Phase The phase basically consists of detecting and initiating a pre-investigation response to a computer or mobile device that is suspected for being involved in an incident, such as data theft, uploading or downloading inappropriate/illegal contents from the Internet, breach of computer security, and so on. 3.3. Data Collection Phase Although information and data of a given incident is gathered during the Incident Response Phase, Data Collection has the purpose of collecting digital evidence that will support the response and investigative plan. When managing evidence, it is important to have in mind that not all information will be evidence, and that evidence must be identified proactively. It is considered digital evidence, the information that is:  Admissible Must contain information that is reasonable enough to be used in court.  Authentic An evidence is connected to the investigated incident.  Complete Exculpatory evidence for alternative suspects.  Reliable The authenticity and veracity of evidence must be indubitable.  Believable Clear, easy to understand, and believable by a jury. There are a series of steps that should be undertaken when collecting digital evidence: i. Establish where all sought evidences can be found Prior to responding to any incident, a trained team should be structured and acknowledged of all available facts, plans and objectives in order to carry out the plan for collecting and analysing data. So, assigning trained investigators for gathering data helps to collect crucial evidences for an incident, which is also known as Comprehensive Digital Evidence (CDE) (CP Grobler & CP Louwrens 2010). In other words, the team will be able to collect relevant and sufficient information determining the origins of the incident, linking the perpetrator to the event. ii. Create Order of Volatility Taking into consideration that digital evidence is volatile and, therefore, it can be easily lost and corrupted, it is reasonable to assume that data collection must be rapidly done, in order to acquire more accurately information about the evidence. Delayed responses might result in the loss of crucial information for the case (Nelson, Phillips and Steuart 2010). Therefore, it should be created a plan to decide the most effective way of gathering data, determining what and where to collect evidence from.
  • 10. 6 Process Framework | Curtin University of Technology - CBS iii. Collect the Evidence With the purpose of capturing volatile evidences, if an incident is discovered, it is crucial that the suspect computer or mobile device stay connected to the network and must not be rebooted, until relevant data is captured. Hence, unplugging the computer from the network or not keeping the mobile device powered up may spoil the investigation, since critical volatile data will be destroyed. Throughout this stage, the investigation team must collect as much evidence as they possibly can and get it at the first time they see it. In some cases, volatile data (those that are kept in memory, such as running process, network connections, clipboard contents) might be lost due to delay on the incident response or unprofessional execution of this process. The following tools are usually used to provide important data for assisting on forensics’ investigations, mainly in desktops and/or laptops. However, those same tools can only be applied in smartphones if they are connected to the company’s network and, consequently, they will behave and work as a regular computer. Hence, Excellor can make use of various sources in order to collect the maximum amount of relevant digital evidence for possible incidents, such as: - Command - Netstat - Psloglist - Netcat - Pslist - Netusers - Net (user, session) - Pulist - ListDLLs - Handle - Tlist - Tasklist - PS - IPConfig - NBTStat - Fport - Openports - DOSKEY - GPList - Time - Date - Route Many of the tools listed above contain similar information types (such as IP address, MAC address, tasks performed by a computer or connected smartphone, ports used between source and destination machines, websites recently visited, processes and their identification number, date and time of various operations, and more). Yet, each one provides specific detailed information that the other one lacks. One of the biggest constraints that forensics face with mobile phones is the capacity of being used anywhere else besides the company’s premises. Although it is possible for investigators to collect information in smartphones that is leaked via text messages, upload/download of files, or social networks, it might be an extremely hard task to detect and gather suspicious activities if information is sent via a phone call. Therefore, despite calling history is recorded in the device, the contents of a conversation becomes difficult to track, unless the phone is tapped. As for social media, when searching for digital evidence, it becomes even more complicated since information is stored at the social network’s operator and cannot be found on the suspect’s computer’s hard drive.
  • 11. 7 Process Framework | Curtin University of Technology - CBS So there are different procedures that can be done in order to collect data from social networks. Acquire the server’s hard drives is one, although it is not feasible in most cases. Another alternative is to contact the social media operator for sending crucial data to the investigator. However, this measure contradicts the rules for evidence gathering due to the investigator’s inability of proving that the evidence is complete, reliable and authentic (Mulazzani, Huber and Weippl 2011). Hence, those two options should be discarded at first, and data gathering should be relied mainly on the investigation capacities of the forensics examiner. According to Mulazzani, Huber and Weippl (2011), even though social medias have distinct features and architectures, there are commun data sources that can provide forensic investigators with crucial information on those type of medias, as follow:  The social footprint: relate the user’s social circle and relationships, defining who he/she is connected to and what are his/her interests.  Communications pattern: establish the methods in which the media is used to communicate, how it is used, and who is the user communicating to. So, in order to graphically present this information, it is possible to apply the Social Interaction Graph using Direct Messages (Mulazzani, Huber and Weippl 2011), as shown in Figure 4 (please refer to Appendix A for figure in larger scale). Figure 4 - Social Interaction Graph using Direct Messages (Mulazzani, Huber and Weippl 2011).  Pictures and videos: define what pictures and videos have the user uploaded to the social network and those that he/ahe was tagged on other people’s picture. So, as shown in Figure 5, the “Anonymized Social InteractionAnonymised Social Interconnection Graph using Picture Tags” (Mulazzani, Huber and Weippl 2011) can be applied, in order to track the suspects closest connections (please refer to Appendix B for figure in larger scale). The graph is created using the following steps: i. Starting from the suspect account, it is gathered all the pictures from all suspect’s “friends”. ii. It is ignored those who are tagged in the pictures and are not in the suspect’s “friend” list. iii. If the tagged person is also the suspect’s “friend”, then an edge is added between the two nodes, pointing from the profile that uploaded the picture to the profile that was tagged.
  • 12. 8 Process Framework | Curtin University of Technology - CBS Figure 5 - Anonymized Social InteractionAnonymised Social Interconnection Graph using Picture Tags (Mulazzani, Huber and Weippl 2011).  Times of activity: identify the time when a specific user has joined or connected to the social media and when exaclty an unique activity took place. Therefore, a timeline is a reasonable strategy to be adoptded, giving a chronological order to the events, as suggested by Mulazzani, Huber and Weippl (2011). Figure 6 is an example of the timeline (please refer to Appendix C for figure in larger scale). Figure 6 - Anonymized Example Timeline for 24-hour period (Mulazzani, Huber and Weippl 2011).  Apps: define and make a list of the apps that the user may be making use of, and the purpose for using them. As stated by Patzakis (2012), it is possible to extract relevant data from each user. This can be achieved by using metadata fields, which contain important infomation to establish authenticity of the data collected. The two figures below relate useful tools for gathering relevant information on Twitter and Facebook, as an example of social medias.
  • 13. 9 Process Framework | Curtin University of Technology - CBS Figure 7 – Twitter metadata (Patzakis 2012). Figure 8 - Facebook metadata (Patzakis 2012).
  • 14. 10 Guidelines and Procedures | Curtin University of Technology - CBS iv. Find Relevant Evidence Organise the findings and identify the ones that are relevant to the investigation. Hence, investigators should be capable of recognizing and filtering which piece of information is relevant to a given case. v. Document Everything In order to keep reliable records and integrity of the collected information, every finding should own a hashed value, timestamps, signed statements, digital signatures, witness statements, etc. 3.4. Data Analysis Phase This phase aims to structure and give a meaning of the data collected in the previous phase. It is usually the most complex and time consuming stage, since every relevant evidence extracted is analysed and reconstructed in an organised way, in order to confirm or refute allegations of suspicious activities. 3.5. Findings Presentation Phase After data have been analysed, it is important to bear in mind the different types of audience that the analysis report will be presented to. Therefore, a report should communicate relevant findings accordingly to the level of computer literacy of its audience, whether it is addressed to managers, technical personnel, legal personnel, or law enforcement professionals. Additionally, the presentation(s) can be written, oral or a combination of both. It attempts to provide a brief and detailed reconstruction of the facts analysed during the Data Analysis Phase. 3.6. Incident Closure Phase As the name suggests, during this phase the investigation must be closed out and actions should be taken upon any decisions related to it. Not only that, any new knowledge gained with a case should be preserved for being used as future reference. 4. Guidelines and Procedures Given that electronic records and data can be easily changed and altered, it is important that Excellor specifies guidelines and procedures that facilitate further forensic actions towards incidents that may lead to prosecution or internal disciplinary measures. It is important that Excellor’s forensic guidelines and procedures are consistent with its policies and other applicable laws. In order to outline the guidelines and procedures at the upmost level of quality, Excellor should include technical experts and legal advisors during its development. Additionally, the participation of managers is also relevant since they can determine whether the guidelines and procedures proposed are aligned with the company’s requirements, goals and objectives. Moreover, taking into consideration that each incident requires different methods for handling it, developing complete guidelines and procedures to every possible situation is not usually practicable. Therefore, organisations should develop a procedure manual for carrying out all routine activities in
  • 15. 11 Guidelines and Procedures | Curtin University of Technology - CBS PREPARATION PHASE the protection, collection, examination and analysis, and reporting of digital evidence found on smartphones and social media. The document should be developed in a forensically sound manner, suitable for legal prosecution or disciplinary actions. It is crucial that the guidelines and procedures support the admissibility of digital evidence into legal measures, including:  seizing and handling evidence correctly;  managing the chain of custody;  storing the digital evidence appropriately;  establishing and preserving the genuineness of forensic tools and equipment;  capability of demonstrating the authenticity of any electronic records, case files, and logs. Excellor should constantly be aware of significant changes in smartphone technology, and social media functionalities and architectures that might affect the company’s guidelines and procedures. 4.1. Procedural Manual The company’s procedural manual has the purpose of describing the procedures and policies in which Excellor’s employees and managers need to carry out in the occurrence of a digital incident. The manual has been developed from concepts and definitions in the process framework proposed in this document. This topic consists of outlining a series of activities from each of the phases previously mentioned, in order to avoid/minimise and control the effects caused by the incident.  Risk assessment related to Excellor’s vulnerabilities, loss/exposure, threats, weaknesses, etc.  Build up an Incident Response Plan, including staff assignments, procedures, policies and regulations.  Develop a document relating the company’s technical capabilities (e.g. response toolkits).  Train a satisfactory number of staff to conduct investigation in the occurrence of a digital incident.  Define and document the company’s standards for handling and preserving evidence integrity.  Identify unauthorised or suspicious activities executed by Excellor’s staff members.  Report identified or suspected unauthorised activity to the CIO or CEO, depending on the circumstances.  Confirm the incident.  Develop a suitable plan to control, eliminate, recover, and investigate digital evidence, taking into account business’ technical, political, and legal factors.  Prepare the Investigation Plan for data collection and analysis. INCIDENT RESPONSE PHASE FOUNDATION FOR EXCELLOR’S PROCEDURAL MANUAL ACTIVITIES
  • 16. 12 Guidelines and Procedures | Curtin University of Technology - CBS  Conclude data gathering which began during the Incident Response Phase.  Acquire network-based incriminating evidence from applicable sources, such as log servers, firewalls, routers, intrusion detection systems, etc.  Obtain host-based evidence from relevant sources, such as system date/time information, volatile data, storage drives, etc.  Acquire removable media evidence from suspect computer, such as CD-ROMs, USB devices, and so on.  Collect information present on social media used by suspect, searching throughout the five common data sources beforehand mentioned.  Create hash keys to ensure the integrity and authenticity of the digital evidence.  Ensure that people accountable for packaging, transporting and storing the digital evidence have signed off relevant documentation acknowledging their “Dos and Don’ts”.  Summarize large amount of data collected throughout Data Collection and elaborate an analysis report for helping investigators to better understand relevant evidences.  Assess analysis report and search for relevant information that is relevant to the case.  Study, analyse, and reconstruct the data to respond to crucial investigative inquiries.  Assess the audience, which material will be presented to.  Determine most effective way to communicate to the respective audience.  Summarize relevant findings.  Prepare and present the findings.  Oversee the entire investigation and document a critical review and lessons learned with it.  Take decisions based on the results of the findings presentation, and act upon them.  Evidence disposal (e.g. destroy, return to owner).  Collect and protect all information linked to the incident. It is relevant to mention that the activities above can be executed in a sequential and/or iterated manner, though they should always respect the order in the graphic proposed by Nicole Beebe and Jan Clark (2005). DATA COLLECTION PHASE DATA ANALYSIS PHASE FINDINGS PRESENTATION PHASE INCIDENT CLOSURE PHASE SE
  • 17. 13 Recommendations | Curtin University of Technology - CBS 5. Recommendations After doing an in depth research about the various types of methods applied to manage forensics activities, it is recommended to use a combination of both frameworks previously proposed. They can be adapted to complement each other due to their different approaches. It can be seen then that, the framework developed by Grobler et al. (2010) relates how the company should react towards an incident, depending whether the incident is happening or not. This structure acknowledges that the company (in this case Excellor) should be aware and prepare itself for the occurrence of any potential incident. Moreover, it breakdown and displays how evidences and incidents are related to Excellor’s governance and policies, showing that the former should proactively be considered when outlining the company’s policies. However, this framework lacks in defining procedures that a company should follow for responding to an incident. Consequently, the framework proposed by Nicole Beebe and Jan Clark (2005) should be implemented within Excellor's operations, since it aims to provide a more effective approach when responding to a given incident. The six interrelated phases provides to the company a series of interrelated activities to be carried out, in case of a cyber-incident. Not only that, it ensures iteration between the phases, maximising the results obtained during management of digital evidence. Capture digital evidences prior to compromising the company’s operations is considered a major priority and should be adopted and included within Excellor’s policies. Therefore, acting proactively can help Excellor to achieve two main goals (Trcek, et al. 2010): i. Minimise costs when responding to incidents ii. Maximise the company’s capability of collecting digital evidence For that reason, Excellor should be constantly managing corporate data and gathering potential evidence, such as telephone records, log files, e-mails, and network traffic records, prior to involvement in an investigation (Trcek, et al. 2010). With the intention of doing frequent monitoring of data traffic, Excellor can make use of appropriate software - such as WireShark and/or FireSheep - in order to monitor data flow within its network. Consequently, it will maximise the probability of capturing suspicious behaviour from computers in that same network and, thereafter, take the appropriate actions. In regards to the company’s policies, it is crucial that top managers and relevant parts include clauses that allow frequent monitoring of any device issued by the organisation and employees’ behaviour towards social media. In accordance, the implementation of those new policies will allow management to guide operations without constant interventions, since they significantly help to align the company’s goals to its objectives. Hence, it is believed that if all the appropriate measures and actions related in this document are applied within Excellor’s business, it is more likely that the company will not have to interrupt its operations, due to planning solutions and counter-action against cyber-attacks or any other digital occurrence.
  • 18. 14 References | Curtin University of Technology - CBS 6. References Adams, Rob. Articles: Challenges of Smart Phone Forensics. 2010. http://www.forensicfocus.com/challenges-of-smart-phone-forensics (accessed May 1, 2012). American Academy - Forensic Sciences. “Policy and Procedure Manual.” The American Academy of Forensic Sciences, 2011: 1-195. Beebe, Nicole Lang, and Jan Guynes Clark. “A hierarchical, objectives-based framework.” Elsevier, 2005: 21. Cohen, Frederick B. Fundamentals of Digital forensic Evidence. Professional Report, California: California Sciences Institute, 2008. CP Grobler & CP Louwrens. Digital Evidence Management Plan. Johannesburg: University of Johannesburg & Nedbank, 2010. Grobler, CP, CP Louwrens, and SH Solms. “A framework to guide the implementation of Proactice Forensics in Organizations.” International Conference, 2010: 6. Kent, Karen, Suzanne Chevalier, Tim Grance, and Hung Dang. “Guide to Integrating Forensic Techniques into Incident Response.” U.S. Department of Comemrce, 2006: 1-121. Mulazzani, Martin, Markus Huber, and Edgar Weippl. Social Network Forensics: Tapping the Data Pool of Social Networks. Professional Research, Sba-Research.org, 2011. Nelson, Bill, Amelia Phillips, and Christopher Steuart. Guide to Computer Forensics and Investigations. Boston: Course Technology, Cengage Learning, 2010. Patzakis, John. Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware of. Professional Report, Forensic Focus, 2012. Rogers, Marcus K. Cyber Forensics: Evidence Collection, Management and Handling. Indiana, 5 March 2009. Security Transcends Technology. Cyber Forensics: Evidence Collection, Management and Handling. San Antonio, 5 March 2009. Trcek, Denis, Habtamu Abie, Asmund Skomedal, and Iztoc Stark. “Advanced Framework for Digital Forensic Technologies and Procedures.” Journal of Forensic Sciences 55 (November 2010): 1471-1479.
  • 19. 15 References | Curtin University of Technology - CBS APPENDIX A - Social Interaction Graph using Direct Message
  • 20. 16 APPENDIX B – Anonymized Social Interaction Graph using Picture Tags | Curtin University of Technology - CBS APPENDIX B – Anonymized Social Interaction Graph using Picture Tags
  • 21. 17 APPENDIX C - Anonymized Example Timeline for 24-hour period | Curtin University of Technology - CBS APPENDIX C - Anonymized Example Timeline for 24-hour period
  • 22. 18 APPENDIX D – FireSheep Graphic User Interface | Curtin University of Technology - CBS APPENDIX D – FireSheep Graphic User Interface