Design for A Network Centric Enterprise Forensic System
CF601_Assignment2_Martins_15527769
1. Curtin University of Technology - CBS | Introduction 1
Computer Forensics Report
Process Framework and Procedural Manual for
Excellor Pty Ltd.
2012
Pedro Martins - 15527769
Curtin University of Technology - CBS
4/27/2012
ABSTRACT:
The following report proposes a comprehensive process framework, guidelines
and procedures that Excellor should consider for applying within its operations
and business. It highlights main aspects and considerations that the company
should be aware of when restructuring its polices and procedures for
managing digital evidences categorised as “secure classified information
transmissions” and “operational duties” conducted using smart phone and
social media tools and applications.
2. Curtin Business School
SCHOOL OF INFORMATION SYSTEMS
Cover Sheet – BIC601 Assignment 1
Semester 1, 2012
Name Pedro Martins 15527769
given names surname/family name Student ID No
Unit Name Computer Forensics 601 (CF601)
(in full)
Name of Tutor Dr Collin James Armstrong Day & Time of Tutorial Friday,9:00 am
Assignment Number and/or Name CF601 Assignment 1
Due Date 4th May, 2012 5PM Date Submitted 4th March 2012
If the given name by which your tutor knows you differs from your name on University records, you should indicate
BOTH names above.
Your assignment should meet the following requirements.
Please confirm this (by ticking boxes) before submitting your assignment.
Assignment is presented on A4 size paper and is neatly collated
Above details are fully completed and legible
Pages have been firmly stapled
A copy and backup of disk(s) has been retained by me
Diskette is included, if appropriate
Declaration below is complete
All forms of plagiarism, cheating and unauthorised collusion are regarded seriously by the University and could result in
penalties including failure in the course and possible exclusion from the University. If you are in doubt, please contact
your lecturer or the Course Coordinator.
Declaration
Except where I have indicated, the work I am submitting in this assignment is my own work and has not been submitted
for assessment in another unit or course
Signature of Student
OFFICE USE ONLY
Date Received
Marked By
Date Marked
Marks/Grades
3. Table of Contents
1. Introduction ....................................................................................................................................1
2. Excellor Forensic Policy Considerations..........................................................................................2
3. Process Framework.........................................................................................................................2
3.1. Preparation Phase...................................................................................................................4
3.2. Incident Response Phase ........................................................................................................5
3.3. Data Collection Phase .............................................................................................................5
i. Establish where all sought evidences can be found ...............................................................5
ii. Create Order of Volatility........................................................................................................5
iii. Collect the Evidence................................................................................................................6
iv. Find Relevant Evidence.........................................................................................................10
v. Document Everything ...........................................................................................................10
3.4. Data Analysis Phase ..............................................................................................................10
3.5. Findings Presentation Phase.................................................................................................10
3.6. Incident Closure Phase..........................................................................................................10
4. Guidelines and Procedures ...........................................................................................................10
4.1. Procedural Manual................................................................................................................11
5. Recommendations........................................................................................................................13
6. References ....................................................................................................................................14
APPENDIX B – Anonymized Social Interaction Graph using Picture Tags........................................16
APPENDIX C - Anonymized Example Timeline for 24-hour period..................................................17
APPENDIX C – FireSheep Graphic User Interface .............................................................................18
4. Table of Figures
Figure 1 - The three components for managing Digital Evidence………………………………….......................3
Figure 2- ProDF layers………………………………………………………………………………………………………………………..3
Figure 3- Unique Incident Investigation…………………………………………………………………………………………….4
Figure 4 - Social Interaction Graph using Direct Messages…………………………………………………………………7
Figure 5 - Anonymized Social Interconnection Graph using Picture Tags……………………………………………8
Figure 6 - Anonymized Example Timeline for 24-hour period. …………………………………………………………..8
Figure 7 – Twitter metadata.…………………………………………………………………………………..…………………………9
Figure 8 - Facebook metadata. .………………………………………………………………………………………………………...9
5. 1 Introduction | Curtin University of Technology - CBS
1. Introduction
In light of the increasing number of cyber-attacks occurred in the year of 2011 (e.g. Anonymous, HB
Gary, Sony, and Wikileaks), Excellor Pty Ltd. has contracted the services of a forensic expert to elaborate
and propose aspects such as, process framework for managing digital evidences, considerations for
developing a procedural manual, considerations for developing the company’s policy, guidelines and
procedures towards Forensics’ activities, and more.
However, the current growing usage of smartphones (e.g. iPhone) and social networks (such as Facebook,
LinkedIn, etc.) have been a major concern in computer Forensics, since it became another communication
channel that links the internal environment of a company to the outside world. What is more, the
significant increasing of various functionalities added to smartphones result in many challenges to a
forensic investigator, since they are constantly changing its Operational Systems (Adams 2010).
Current smartphones are capable of storing a large volume of data and, therefore, they became one of the
main targets for collecting relevant digital evidence1
while conducting an investigation. Data frequently
found on smartphones are:
Application Data
Call History
eBooks
Maps Email
Photos
Text Messaging
Video
Web History
Audio
After digital evidences are collected and analysed, they can be used throughout many different
departments within an organisation for various reasons. For example, the Human Resources
department might need evidence to confirm misbehaviour of a staff member. Similarly, auditors and
managers can use data evidence to prove dishonest transactions and to monitor and control if data
flow is in accordance to governance regulations, respectively (CP Grobler & CP Louwrens 2010).
The following report has the purpose of assisting and instructing Excellor’s senior management, such
as the Chief Officer and Chief Executive Officer, on taking specifics measures in the occurrence of
misuse of company’s data categorised as “classified” on corporate smartphone devices and social
media. Furthermore, this document serves as a guide relating important activities that must be
considered in case of inappropriate use of company’s data.
Hence, the facts researched and discussed in this document will assist relevant parts on managing digital
evidences and take effective and efficient actions, helping Excellor to minimise the effects caused by any
internal or external digital incident2
that significantly affects the company’s business.
1
For the purpose of this assignment, it is considered digital evidence all corporate data that is categorised as
“secure classified information transmissions” and “operational duties” conducted using smartphones, social
media tools and applications.
6. 2 Excellor Forensic Policy Considerations | Curtin University of Technology - CBS
2. Excellor Forensic Policy Considerations
All major forensic concerns present in the company’s policies should be addressed in clear statements
which will help authorised personnel to monitor systems and networks, in order to take immediately
measures in response to an incident (Kent, et al. 2006).
Any sort of investigation should be kept confidential, especially when dealing with staff members of a
business environment, unless case is taken to court. If case details are spread throughout the company
or any unrelated part, the investigation loses its credibility and leads Excellor to violate contractual
agreements made between the company and the employee (Nelson, Phillips and Steuart 2010).
Although technology can be used for many beneficial reasons, it can also be accidentally or
intentionally misused for giving unauthorised access to corporate data and information, modifying,
destroying or stealing information, including digital evidence of an incident. Hence, in order to ensure
that the forensic tools are used appropriately, it is a sound strategy to specify within Excellor’s policy
which forensic actions should and should not be performed for different types of incident.
In short, Excellor’s Forensic Policies should consider, but not be limited to:
Outline the roles and responsibilities of all stakeholders (internal and external) involved in the
organization’s forensic activities and clearly indicate who should be assigned for which type of
event.
Give explanation about what forensic procedures should and should not be executed during
normal and special conditions. Not only that, it should address the use of anti-forensic tools
and techniques.
Entitle authorised people to carry out investigation of corporate issued smartphones for
justifiable reasons, under the appropriate conditions.
Implementation of forensic concerns when planning and developing information system life
cycle, possibly leading to a more efficient and effective management of different types of
incidents.
Storage of data collected by forensics tools does not violate the company’s privacy or data
custody policies.
Monitoring of networks and informative messages on systems that communicate to users that
activity might be monitored. The policies should consider reasonable expectations of user
privacy.
3. Process Framework
In the occurrence of a cyber-crime within Excellor environment, it is important to follow a process
framework that gives investigators an appropriate approach to respond to the incident. Therefore, it
was identified two types of existents framework which can be applied into Excellor’s business for
managing Digital Forensics (DF) evidence.
According to Grobler et al. (2010), a company should be aware and prepare itself from possible
cyber-attacks, and take the appropriate measures to either avoid or minimise the damages caused
within its business. Therefore, the authors have identified three different components that should work
together, and not in isolation. They are: Proactive, Active and Reactive DF.
2
It is considered an incident the misuse of any corporate data, leading to violation of company’s regulations
and State laws (e.g. criminal, civil and statute).
7. 3 Process Framework | Curtin University of Technology - CBS
Proactive DF (ProDF) relates to any measures that a company can take to foresee or prevent
digital incidents by ensuring that it possesses enough technology, processes and procedures
capable of minimising disruption if business in the event of a digital crime.
Active or ‘live’ DF (ActDF) is the capability of an organisation to collect relevant and live
comprehensive digital evidence in order to minimise the effect of the incident during an
ongoing incident.
Reactive or ‘dead’ (ReDF) is the stage in which a company implements its analytical and
investigative techniques in order to preserve, identify, extract, document, analyse, and
interpret the digital evidences.
The following graphic simply correlates the three components and when they should be applied.
Figure 1 - The three components for managing Digital Evidence (Grobler, Louwrens and Solms 2010)
Furthermore, there are some critical factors to be considered when adopting proactive measures
against potential digital incidents. Excellor’s policies, processes, technologies and people are the
foundation for effective business governance, which must be in accordance to the local laws and
regulations. The figure below is an illustration of sub-components that must be considered when
adopting Proactive DF measures within Excellor and self-explains what each sub-component
involves.
Figure 2- ProDF layers (Grobler, Louwrens and Solms 2010)
8. 4 Process Framework | Curtin University of Technology - CBS
The following framework displays a detailed order of processes and activities that should be
undertaken in case of a digital crime. When analysing the next graphic, it is possible to notice that
each process output serves as an input to the next one, thus creating a pattern when responding to
incidents.
This process framework is based on the proposal concept of Nicole Beebe and Jan Clark (2005). In
comparison to other existing models, none of them provided sufficient details to enable all members
of the digital forensics to take efficient measures in response to digital incidents (Beebe and Clark
2005). Hence, this model is an extension of the one proposed by the authors Grobler, Louwrens and
Solms (2010) and presents the most suitable framework to be incorporated within Excellor's
information security environment.
Figure 3- Unique Incident Investigation (Beebe and Clark 2005)
3.1. Preparation Phase
This phase contains proactive measures that Excellor should perform to minimise damages in the
occurrence of cyber-attacks. According to Tcek et al. (2010), every company should adapt its
systems (whether is computerised or not) to collect and preserve potential digital evidence in a
structured way.
Additionally, during the Preparation phase some activities (related later in this document) should
be executed in order to maximize digital evidence availability in support of investigation and
prosecution, associated to computer security incidents. Different cases have distinct
characteristics, and, therefore, Preparation Phase might vary according to each individual
scenario, though following a common pattern.
Nevertheless, there are tools that can be used in order to control users’ access to social media
within Excellor’s premises. For example, FireSheep (http://codebutler.com/firesheep) is a free
open source software capable of capturing any insecure website known to the program, including
social media. So as soon as someone visits these types of websites the name and photo are
displayed. Appendix D shows snapshots of the software interface.
However, before adopting any similar measure, it is crucial to create a new policy that permits
Excellor’s authorities to execute this action.
9. 5 Process Framework | Curtin University of Technology - CBS
3.2. Incident Response Phase
The phase basically consists of detecting and initiating a pre-investigation response to a computer
or mobile device that is suspected for being involved in an incident, such as data theft, uploading
or downloading inappropriate/illegal contents from the Internet, breach of computer security, and
so on.
3.3. Data Collection Phase
Although information and data of a given incident is gathered during the Incident Response
Phase, Data Collection has the purpose of collecting digital evidence that will support the
response and investigative plan.
When managing evidence, it is important to have in mind that not all information will be
evidence, and that evidence must be identified proactively.
It is considered digital evidence, the information that is:
Admissible
Must contain information that is
reasonable enough to be used in
court.
Authentic
An evidence is connected to the
investigated incident.
Complete
Exculpatory evidence for alternative
suspects.
Reliable
The authenticity and veracity of evidence must
be indubitable.
Believable
Clear, easy to understand, and believable by a
jury.
There are a series of steps that should be undertaken when collecting digital evidence:
i. Establish where all sought evidences can be found
Prior to responding to any incident, a trained team should be structured and acknowledged
of all available facts, plans and objectives in order to carry out the plan for collecting and
analysing data. So, assigning trained investigators for gathering data helps to collect crucial
evidences for an incident, which is also known as Comprehensive Digital Evidence (CDE)
(CP Grobler & CP Louwrens 2010). In other words, the team will be able to collect relevant
and sufficient information determining the origins of the incident, linking the perpetrator to
the event.
ii. Create Order of Volatility
Taking into consideration that digital evidence is volatile and, therefore, it can be easily lost
and corrupted, it is reasonable to assume that data collection must be rapidly done, in order
to acquire more accurately information about the evidence. Delayed responses might result
in the loss of crucial information for the case (Nelson, Phillips and Steuart 2010). Therefore,
it should be created a plan to decide the most effective way of gathering data, determining
what and where to collect evidence from.
10. 6 Process Framework | Curtin University of Technology - CBS
iii. Collect the Evidence
With the purpose of capturing volatile evidences, if an incident is discovered, it is crucial
that the suspect computer or mobile device stay connected to the network and must not be
rebooted, until relevant data is captured. Hence, unplugging the computer from the network
or not keeping the mobile device powered up may spoil the investigation, since critical
volatile data will be destroyed.
Throughout this stage, the investigation team must collect as much evidence as they possibly
can and get it at the first time they see it. In some cases, volatile data (those that are kept in
memory, such as running process, network connections, clipboard contents) might be lost
due to delay on the incident response or unprofessional execution of this process.
The following tools are usually used to provide important data for assisting on forensics’
investigations, mainly in desktops and/or laptops. However, those same tools can only be
applied in smartphones if they are connected to the company’s network and, consequently,
they will behave and work as a regular computer. Hence, Excellor can make use of various
sources in order to collect the maximum amount of relevant digital evidence for possible
incidents, such as:
- Command
- Netstat
- Psloglist
- Netcat
- Pslist
- Netusers
- Net (user, session)
- Pulist
- ListDLLs
- Handle
- Tlist
- Tasklist
- PS
- IPConfig
- NBTStat
- Fport
- Openports
- DOSKEY
- GPList
- Time
- Date
- Route
Many of the tools listed above contain similar information types (such as IP address, MAC
address, tasks performed by a computer or connected smartphone, ports used between
source and destination machines, websites recently visited, processes and their identification
number, date and time of various operations, and more). Yet, each one provides specific
detailed information that the other one lacks.
One of the biggest constraints that forensics face with mobile phones is the capacity of being
used anywhere else besides the company’s premises. Although it is possible for
investigators to collect information in smartphones that is leaked via text messages,
upload/download of files, or social networks, it might be an extremely hard task to detect
and gather suspicious activities if information is sent via a phone call. Therefore, despite
calling history is recorded in the device, the contents of a conversation becomes difficult to
track, unless the phone is tapped.
As for social media, when searching for digital evidence, it becomes even more complicated
since information is stored at the social network’s operator and cannot be found on the
suspect’s computer’s hard drive.
11. 7 Process Framework | Curtin University of Technology - CBS
So there are different procedures that can be done in order to collect data from social
networks. Acquire the server’s hard drives is one, although it is not feasible in most cases.
Another alternative is to contact the social media operator for sending crucial data to the
investigator. However, this measure contradicts the rules for evidence gathering due to the
investigator’s inability of proving that the evidence is complete, reliable and authentic
(Mulazzani, Huber and Weippl 2011). Hence, those two options should be discarded at first,
and data gathering should be relied mainly on the investigation capacities of the forensics
examiner.
According to Mulazzani, Huber and Weippl (2011), even though social medias have distinct
features and architectures, there are commun data sources that can provide forensic
investigators with crucial information on those type of medias, as follow:
The social footprint: relate the user’s social circle and relationships, defining who
he/she is connected to and what are his/her interests.
Communications pattern: establish the methods in which the media is used to
communicate, how it is used, and who is the user communicating to. So, in order to
graphically present this information, it is possible to apply the Social Interaction Graph
using Direct Messages (Mulazzani, Huber and Weippl 2011), as shown in Figure 4
(please refer to Appendix A for figure in larger scale).
Figure 4 - Social Interaction Graph using Direct Messages (Mulazzani, Huber and Weippl 2011).
Pictures and videos: define what pictures and videos have the user uploaded to the
social network and those that he/ahe was tagged on other people’s picture. So, as
shown in Figure 5, the “Anonymized Social InteractionAnonymised Social
Interconnection Graph using Picture Tags” (Mulazzani, Huber and Weippl 2011) can
be applied, in order to track the suspects closest connections (please refer to Appendix
B for figure in larger scale). The graph is created using the following steps:
i. Starting from the suspect account, it is gathered all the pictures from all
suspect’s “friends”.
ii. It is ignored those who are tagged in the pictures and are not in the suspect’s
“friend” list.
iii. If the tagged person is also the suspect’s “friend”, then an edge is added
between the two nodes, pointing from the profile that uploaded the picture to
the profile that was tagged.
12. 8 Process Framework | Curtin University of Technology - CBS
Figure 5 - Anonymized Social InteractionAnonymised Social Interconnection Graph using Picture Tags
(Mulazzani, Huber and Weippl 2011).
Times of activity: identify the time when a specific user has joined or connected to
the social media and when exaclty an unique activity took place. Therefore, a timeline
is a reasonable strategy to be adoptded, giving a chronological order to the events, as
suggested by Mulazzani, Huber and Weippl (2011). Figure 6 is an example of the
timeline (please refer to Appendix C for figure in larger scale).
Figure 6 - Anonymized Example Timeline for 24-hour period (Mulazzani, Huber and Weippl 2011).
Apps: define and make a list of the apps that the user may be making use of, and the
purpose for using them.
As stated by Patzakis (2012), it is possible to extract relevant data from each user. This can
be achieved by using metadata fields, which contain important infomation to establish
authenticity of the data collected.
The two figures below relate useful tools for gathering relevant information on Twitter and
Facebook, as an example of social medias.
13. 9 Process Framework | Curtin University of Technology - CBS
Figure 7 – Twitter metadata (Patzakis 2012).
Figure 8 - Facebook metadata (Patzakis 2012).
14. 10 Guidelines and Procedures | Curtin University of Technology - CBS
iv. Find Relevant Evidence
Organise the findings and identify the ones that are relevant to the investigation. Hence,
investigators should be capable of recognizing and filtering which piece of information is
relevant to a given case.
v. Document Everything
In order to keep reliable records and integrity of the collected information, every finding
should own a hashed value, timestamps, signed statements, digital signatures, witness
statements, etc.
3.4. Data Analysis Phase
This phase aims to structure and give a meaning of the data collected in the previous phase. It is
usually the most complex and time consuming stage, since every relevant evidence extracted is
analysed and reconstructed in an organised way, in order to confirm or refute allegations of
suspicious activities.
3.5. Findings Presentation Phase
After data have been analysed, it is important to bear in mind the different types of audience that
the analysis report will be presented to. Therefore, a report should communicate relevant findings
accordingly to the level of computer literacy of its audience, whether it is addressed to managers,
technical personnel, legal personnel, or law enforcement professionals.
Additionally, the presentation(s) can be written, oral or a combination of both. It attempts to
provide a brief and detailed reconstruction of the facts analysed during the Data Analysis Phase.
3.6. Incident Closure Phase
As the name suggests, during this phase the investigation must be closed out and actions should
be taken upon any decisions related to it. Not only that, any new knowledge gained with a case
should be preserved for being used as future reference.
4. Guidelines and Procedures
Given that electronic records and data can be easily changed and altered, it is important that Excellor
specifies guidelines and procedures that facilitate further forensic actions towards incidents that may
lead to prosecution or internal disciplinary measures. It is important that Excellor’s forensic
guidelines and procedures are consistent with its policies and other applicable laws.
In order to outline the guidelines and procedures at the upmost level of quality, Excellor should
include technical experts and legal advisors during its development. Additionally, the participation of
managers is also relevant since they can determine whether the guidelines and procedures proposed
are aligned with the company’s requirements, goals and objectives.
Moreover, taking into consideration that each incident requires different methods for handling it,
developing complete guidelines and procedures to every possible situation is not usually practicable.
Therefore, organisations should develop a procedure manual for carrying out all routine activities in
15. 11 Guidelines and Procedures | Curtin University of Technology - CBS
PREPARATION PHASE
the protection, collection, examination and analysis, and reporting of digital evidence found on
smartphones and social media. The document should be developed in a forensically sound manner,
suitable for legal prosecution or disciplinary actions. It is crucial that the guidelines and procedures
support the admissibility of digital evidence into legal measures, including:
seizing and handling evidence correctly;
managing the chain of custody;
storing the digital evidence appropriately;
establishing and preserving the genuineness of forensic tools and equipment;
capability of demonstrating the authenticity of any electronic records, case files, and logs.
Excellor should constantly be aware of significant changes in smartphone technology, and social
media functionalities and architectures that might affect the company’s guidelines and procedures.
4.1. Procedural Manual
The company’s procedural manual has the purpose of describing the procedures and policies in
which Excellor’s employees and managers need to carry out in the occurrence of a digital
incident.
The manual has been developed from concepts and definitions in the process framework proposed
in this document. This topic consists of outlining a series of activities from each of the phases
previously mentioned, in order to avoid/minimise and control the effects caused by the incident.
Risk assessment related to Excellor’s vulnerabilities, loss/exposure, threats, weaknesses, etc.
Build up an Incident Response Plan, including staff assignments, procedures, policies and regulations.
Develop a document relating the company’s technical capabilities (e.g. response toolkits).
Train a satisfactory number of staff to conduct investigation in the occurrence of a digital incident.
Define and document the company’s standards for handling and preserving evidence integrity.
Identify unauthorised or suspicious activities executed by Excellor’s staff members.
Report identified or suspected unauthorised activity to the CIO or CEO, depending on the circumstances.
Confirm the incident.
Develop a suitable plan to control, eliminate, recover, and investigate digital evidence, taking into
account business’ technical, political, and legal factors.
Prepare the Investigation Plan for data collection and analysis.
INCIDENT RESPONSE PHASE
FOUNDATION FOR EXCELLOR’S PROCEDURAL MANUAL ACTIVITIES
16. 12 Guidelines and Procedures | Curtin University of Technology - CBS
Conclude data gathering which began during the Incident Response Phase.
Acquire network-based incriminating evidence from applicable sources, such as log servers, firewalls,
routers, intrusion detection systems, etc.
Obtain host-based evidence from relevant sources, such as system date/time information, volatile data,
storage drives, etc.
Acquire removable media evidence from suspect computer, such as CD-ROMs, USB devices, and so on.
Collect information present on social media used by suspect, searching throughout the five common data
sources beforehand mentioned.
Create hash keys to ensure the integrity and authenticity of the digital evidence.
Ensure that people accountable for packaging, transporting and storing the digital evidence have signed
off relevant documentation acknowledging their “Dos and Don’ts”.
Summarize large amount of data collected throughout Data Collection and elaborate an analysis
report for helping investigators to better understand relevant evidences.
Assess analysis report and search for relevant information that is relevant to the case.
Study, analyse, and reconstruct the data to respond to crucial investigative inquiries.
Assess the audience, which material will be presented to.
Determine most effective way to communicate to the respective audience.
Summarize relevant findings.
Prepare and present the findings.
Oversee the entire investigation and document a critical review and lessons learned with it.
Take decisions based on the results of the findings presentation, and act upon them.
Evidence disposal (e.g. destroy, return to owner).
Collect and protect all information linked to the incident.
It is relevant to mention that the activities above can be executed in a sequential and/or iterated
manner, though they should always respect the order in the graphic proposed by Nicole Beebe and
Jan Clark (2005).
DATA COLLECTION PHASE
DATA ANALYSIS PHASE
FINDINGS PRESENTATION PHASE
INCIDENT CLOSURE PHASE
SE
17. 13 Recommendations | Curtin University of Technology - CBS
5. Recommendations
After doing an in depth research about the various types of methods applied to manage forensics
activities, it is recommended to use a combination of both frameworks previously proposed. They can
be adapted to complement each other due to their different approaches.
It can be seen then that, the framework developed by Grobler et al. (2010) relates how the company
should react towards an incident, depending whether the incident is happening or not. This structure
acknowledges that the company (in this case Excellor) should be aware and prepare itself for the
occurrence of any potential incident. Moreover, it breakdown and displays how evidences and
incidents are related to Excellor’s governance and policies, showing that the former should
proactively be considered when outlining the company’s policies. However, this framework lacks in
defining procedures that a company should follow for responding to an incident.
Consequently, the framework proposed by Nicole Beebe and Jan Clark (2005) should be implemented
within Excellor's operations, since it aims to provide a more effective approach when responding to a
given incident. The six interrelated phases provides to the company a series of interrelated activities to
be carried out, in case of a cyber-incident. Not only that, it ensures iteration between the phases,
maximising the results obtained during management of digital evidence.
Capture digital evidences prior to compromising the company’s operations is considered a major
priority and should be adopted and included within Excellor’s policies. Therefore, acting proactively
can help Excellor to achieve two main goals (Trcek, et al. 2010):
i. Minimise costs when responding to incidents
ii. Maximise the company’s capability of collecting digital evidence
For that reason, Excellor should be constantly managing corporate data and gathering potential
evidence, such as telephone records, log files, e-mails, and network traffic records, prior to
involvement in an investigation (Trcek, et al. 2010).
With the intention of doing frequent monitoring of data traffic, Excellor can make use of appropriate
software - such as WireShark and/or FireSheep - in order to monitor data flow within its network.
Consequently, it will maximise the probability of capturing suspicious behaviour from computers in
that same network and, thereafter, take the appropriate actions.
In regards to the company’s policies, it is crucial that top managers and relevant parts include clauses
that allow frequent monitoring of any device issued by the organisation and employees’ behaviour
towards social media. In accordance, the implementation of those new policies will allow
management to guide operations without constant interventions, since they significantly help to align
the company’s goals to its objectives.
Hence, it is believed that if all the appropriate measures and actions related in this document are
applied within Excellor’s business, it is more likely that the company will not have to interrupt its
operations, due to planning solutions and counter-action against cyber-attacks or any other digital
occurrence.
18. 14 References | Curtin University of Technology - CBS
6. References
Adams, Rob. Articles: Challenges of Smart Phone Forensics. 2010.
http://www.forensicfocus.com/challenges-of-smart-phone-forensics (accessed May 1,
2012).
American Academy - Forensic Sciences. “Policy and Procedure Manual.” The American Academy of
Forensic Sciences, 2011: 1-195.
Beebe, Nicole Lang, and Jan Guynes Clark. “A hierarchical, objectives-based framework.” Elsevier,
2005: 21.
Cohen, Frederick B. Fundamentals of Digital forensic Evidence. Professional Report, California:
California Sciences Institute, 2008.
CP Grobler & CP Louwrens. Digital Evidence Management Plan. Johannesburg: University of
Johannesburg & Nedbank, 2010.
Grobler, CP, CP Louwrens, and SH Solms. “A framework to guide the implementation of Proactice
Forensics in Organizations.” International Conference, 2010: 6.
Kent, Karen, Suzanne Chevalier, Tim Grance, and Hung Dang. “Guide to Integrating Forensic
Techniques into Incident Response.” U.S. Department of Comemrce, 2006: 1-121.
Mulazzani, Martin, Markus Huber, and Edgar Weippl. Social Network Forensics: Tapping the Data
Pool of Social Networks. Professional Research, Sba-Research.org, 2011.
Nelson, Bill, Amelia Phillips, and Christopher Steuart. Guide to Computer Forensics and
Investigations. Boston: Course Technology, Cengage Learning, 2010.
Patzakis, John. Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware
of. Professional Report, Forensic Focus, 2012.
Rogers, Marcus K. Cyber Forensics: Evidence Collection, Management and Handling. Indiana, 5 March
2009.
Security Transcends Technology. Cyber Forensics: Evidence Collection, Management and Handling.
San Antonio, 5 March 2009.
Trcek, Denis, Habtamu Abie, Asmund Skomedal, and Iztoc Stark. “Advanced Framework for Digital
Forensic Technologies and Procedures.” Journal of Forensic Sciences 55 (November 2010):
1471-1479.
19. 15 References | Curtin University of Technology - CBS
APPENDIX A - Social Interaction Graph using Direct
Message
20. 16 APPENDIX B – Anonymized Social Interaction Graph using Picture Tags | Curtin University
of Technology - CBS
APPENDIX B – Anonymized Social Interaction Graph using Picture Tags
21. 17 APPENDIX C - Anonymized Example Timeline for 24-hour period | Curtin University of
Technology - CBS
APPENDIX C - Anonymized Example Timeline for 24-hour period
22. 18 APPENDIX D – FireSheep Graphic User Interface | Curtin University of Technology - CBS
APPENDIX D – FireSheep Graphic User Interface