PRACTICAL CONNECTION ASSIGNMENT
Professor Scott Van Nice
Original source of fact pattern: https://resources.infosecinstitute.com/computer-forensics-investigation-case-study/
Refresher
1. A Computer Forensic investigator generally investigates the data which could be taken from computer hard disks or any other storage devices with adherence to standard policies and procedures to determine if those devices have been compromised by unauthorized access or not.
2. Computer Forensics investigators work as a team to investigate the incident and conduct the forensic analysis by using various methodologies (e.g. Static and Dynamic) and tools (e.g. FTK or Encase) to ensure the computer network system is secure in an organization.
3. A successful Computer Forensic investigator must be familiar with various laws and regulations related to computer crimes in their country (e.g. Computer Misuse Act 1990, the UK) and various computer operating systems (e.g. Windows, Linux) and network operating systems (e.g. Win NT).
4. Public investigations and Private or Corporate investigations are the two distinctive categories that fall under Computer Forensics investigations. Public investigations will be conducted by government agencies, and private investigations will be conducted by private computer forensic team.
Fact Pattern
1. A new start-up SME (small-medium enterprise) based in Luton has recently begun to notice anomalies in its accounting and product records.
2. This SME has also noticed that their competitors seem to be developing products that are very similar to what they are doing which suggests potential intellectual property theft.
3. SME has undertaken an initial check of system log files, and there are several suspicious entries and IP addresses with a large amount of data being sent outside the company firewall.
4. SME has also recently received several customer complaints saying that there is often a strange message displayed during order processing, and they are often re-directed to a payment page that does not look legitimate.
5. The company makes use of a general purpose eBusiness package (OSCommerce) and has a small team of six IT support professionals, but they do not feel that they have the expertise to carry out a full scale malware/forensic investigation.
6. As there is increased competition in the hi-tech domain, the company is anxious to ensure that their systems are not being compromised either internally or externally and they have employed a digital forensic investigator to determine whether any malicious activity has taken place, and to ensure that there is no malware within their systems.
7. The company uses Windows 10 for its servers. Patches are applied by the IT support team on a monthly basis, but the team has noticed that a number of machines do not seem to have been patched.
8. The company provides mobile devices (Apple iOS) to its employees and the iPhones are considered corporate assets.
9. The company also as several em.
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
CF Investigation SME Data Breach
1. PRACTICAL CONNECTION ASSIGNMENT
Professor Scott Van Nice
Original source of fact pattern:
https://resources.infosecinstitute.com/computer-forensics-
investigation-case-study/
Refresher
1. A Computer Forensic investigator generally investigates the
data which could be taken from computer hard disks or any
other storage devices with adherence to standard policies and
procedures to determine if those devices have been
compromised by unauthorized access or not.
2. Computer Forensics investigators work as a team to
investigate the incident and conduct the forensic analysis by
using various methodologies (e.g. Static and Dynamic) and tools
(e.g. FTK or Encase) to ensure the computer network system is
secure in an organization.
3. A successful Computer Forensic investigator must be familiar
with various laws and regulations related to computer crimes in
their country (e.g. Computer Misuse Act 1990, the UK) and
various computer operating systems (e.g. Windows, Linux) and
network operating systems (e.g. Win NT).
4. Public investigations and Private or Corporate investigations
are the two distinctive categories that fall under Computer
Forensics investigations. Public investigations will be
conducted by government agencies, and private investigations
will be conducted by private computer forensic team.
Fact Pattern
1. A new start-up SME (small-medium enterprise) based in
Luton has recently begun to notice anomalies in its accounting
and product records.
2. This SME has also noticed that their competitors seem to be
developing products that are very similar to what they are doing
which suggests potential intellectual property theft.
2. 3. SME has undertaken an initial check of system log files, and
there are several suspicious entries and IP addresses with a
large amount of data being sent outside the company firewall.
4. SME has also recently received several customer complaints
saying that there is often a strange message displayed during
order processing, and they are often re-directed to a payment
page that does not look legitimate.
5. The company makes use of a general purpose eBusiness
package (OSCommerce) and has a small team of six IT support
professionals, but they do not feel that they have the expertise
to carry out a full scale malware/forensic investigation.
6. As there is increased competition in the hi-tech domain, the
company is anxious to ensure that their systems are not being
compromised either internally or externally and they have
employed a digital forensic investigator to determine whether
any malicious activity has taken place, and to ensure that there
is no malware within their systems.
7. The company uses Windows 10 for its servers. Patches are
applied by the IT support team on a monthly basis, but the team
has noticed that a number of machines do not seem to have been
patched.
8. The company provides mobile devices (Apple iOS) to its
employees and the iPhones are considered corporate assets.
9. The company also as several employees who use non-
corporate mobile devices for work but they are not considered
corporate assets.
10. The company uses Microsoft Exchange with an enterprise
email server environment where every employee has their own
corporate email account.
11. The company’s network is composed of routers, firewalls,
hubs, and active directory domain servers.
12. Many of the employees also carry tech-wearables e.g.
FitBit, smart watches, etc that can be plugged into a computer
via a USB port for charging and/or for data transfer.
13. The company has several employees in the United States
and several in the European Union region (EU) e.g. two of them
3. are in Germany.
14. Your task, as an attorney and a trained forensic investigator,
is to supervise a digital forensics investigation to see whether
you can prepare a case against the perpetrators.
15. This task may require investigating all employees including
emails, the network, mobile devices, computers, etc.
16. In addition to overseeing an investigation you are asked to
advise the company of its legal rights e.g. what the company
may or may not do especially if you are planning to collect
devices or emails.
Deliverables
Your deliverable in this assignment is a 2-page report (no more
than 3 pages please) discussing how you would approach the
following Digital Forensic Investigation. As part of this report
you should also:
1. Outline and discuss the methodology that you will use.
2. Provide a reasoned argument as to why the particular
methodology (or methodologies) chosen is relevant.
3. Identify key facts and identify key considerations to consider
from a technical / forensic standpoint that the company should
consider.
4. Identify key facts and identify key considerations to consider
from a legal standpoint that the company should consider.
5. Discuss in detail (step by step) the process that you will use
to collect evidence and discuss the relevant guidelines that need
to be followed when collecting digital evidence.
6. Be sure to back your reasoning with case law as applicable.
Scott’s Hints
1. Spend some time thinking about how you want to frame this.
2. Look at your textbooks – and the chapters covered. Perhaps
that would give you a good roadmap.
3. There are many obvious and non-obvious devices here. Spend
some time listing there as well as perhaps think of others that
may be included (but was not explicitly) called out.
4. Refresh your memory on the order of volatility, this may help
4. you prioritize.
5. Are there some potential resources that I did not include in
this fact pattern, but you think should be considered (one good
example might be capture of email accounts from the back-end
e.g. Exchange server).
Why did I assign you this?
Many real-world cybersecurity incidents have a lot of moving
parts and you may be asked to quickly formulate a plan while
ensuring it has a legal foundation. This is a good exercise as to
how you can learn to put everything together. In addition, I
think this might make a great interview segment for you where
you can demonstrate to a potential employer of how much you
have learned!
This is also an open-ended assignment so many of you may
approach this differently. This is fine so long you are mindful
of the important forensic principles that we have learned
together.