Final Project Milestone One: Draft of Report
To complete this assignment, review the prompt and grading rubric in the
Milestone One Guidelines and Rubric
document. When you have finished your work, submit the assignment here for grading and instructor feedback.
ISE 640 Final Project Forensic Notes
Use the information in this document to help you complete your final project.
Drew Patrick, a director-level employee, is stealing intellectual property from a manufacturing company. The company is heavily involved in high-end development of widgets. Drew has access to corporate secrets and files. He is planning on leaving the company, taking the intellectual property with him, and going to work for a competitor. There is suspicion of him doing this, so human resources (HR) notified the information technology (IT) department to monitor Drew’s past history. An internal investigation is launched due to Drew’s abnormal behavior. The IT department confirms that they have found large files and emails. Forensics identified unauthorized access, transmission, and storage of intellectual property by Drew. Evidence found will be used to support legal civil and criminal proceedings.
Scenario ACME Construction Company designs, manufactures, and sells large construction vehicles that can cost upwards of a million dollars. They spent hundreds of thousands of hours redesigning their premier excavator. Every piece that goes into the excavator is individually designed to maximize the longevity of the equipment. Known for attention to detail, high-quality work, and industry innovation, this painstaking work is what sets ACME Construction company apart and is attributed for the excellent reputation they enjoy. This, in turn, allows them to charge a premium on their exceptionally well-built products.
Drew Patrick is a senior manager directly involved with the overall development of ACME’s excavators. His role provides him with access to design documentation, schematics, support documents, and any other technical references maintained in the company’s research and development (R&D) database. The R&D database is maintained by ACME’s information technology (IT) department, which is supported by a security operations center (SOC). The SOC uses Snort as a core component of their security information and event management (SIEM) system to keep tabs on network traffic, authentication requests, file access, and log file analysis.
The SIEM alerted SOC personnel of potential peer-to-peer (P2P) traffic originating from the internet protocol (IP) address associated with Drew’s computer. However, analysis of Active Directory logs indicated that Drew was not logged into his account at the time the files were transferred via the P2P application. ACME enforces two-factor authentication and does not allow for computer sharing. The SOC personnel began an incident report based on the identification of P2P traffic, which violates company policy. ...
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Final Project Milestone One Draft of ReportTo complete this
1. Final Project Milestone One: Draft of Report
To complete this assignment, review the prompt and grading
rubric in the
Milestone One Guidelines and Rubric
document. When you have finished your work, submit the
assignment here for grading and instructor feedback.
ISE 640 Final Project Forensic Notes
Use the information in this document to help you complete your
final project.
Drew Patrick, a director-level employee, is stealing intellectual
property from a manufacturing company. The company is
heavily involved in high-end development of widgets. Drew has
access to corporate secrets and files. He is planning on leaving
the company, taking the intellectual property with him, and
going to work for a competitor. There is suspicion of him doing
this, so human resources (HR) notified the information
technology (IT) department to monitor Drew’s past history. An
internal investigation is launched due to Drew’s abnormal
behavior. The IT department confirms that they have found
large files and emails. Forensics identified unauthorized access,
transmission, and storage of intellectual property by Drew.
Evidence found will be used to support legal civil and criminal
proceedings.
Scenario ACME Construction Company designs, manufactures,
and sells large construction vehicles that can cost upwards of a
2. million dollars. They spent hundreds of thousands of hours
redesigning their premier excavator. Every piece that goes into
the excavator is individually designed to maximize the
longevity of the equipment. Known for attention to detail, high-
quality work, and industry innovation, this painstaking work is
what sets ACME Construction company apart and is attributed
for the excellent reputation they enjoy. This, in turn, allows
them to charge a premium on their exceptionally well-built
products.
Drew Patrick is a senior manager directly involved with the
overall development of ACME’s excavators. His role provides
him with access to design documentation, schematics, support
documents, and any other technical references maintained in the
company’s research and development (R&D) database. The
R&D database is maintained by ACME’s information
technology (IT) department, which is supported by a security
operations center (SOC). The SOC uses Snort as a core
component of their security information and event management
(SIEM) system to keep tabs on network traffic, authentication
requests, file access, and log file analysis.
The SIEM alerted SOC personnel of potential peer-to-peer
(P2P) traffic originating from the internet protocol (IP) address
associated with Drew’s computer. However, analysis of Active
Directory logs indicated that Drew was not logged into his
account at the time the files were transferred via the P2P
application. ACME enforces two-factor authentication and does
not allow for computer sharing. The SOC personnel began an
incident report based on the identification of P2P traffic, which
violates company policy. As per company policy, the SOC
personnel gave human resources (HR) and the legal team the
incident report. The legal team asked for further investigation.
Upon further inspection of the P2P activity, several file
transfers were discovered. The files transferred match the names
of files in the R&D database containing intellectual property
3. developed by Drew’s development team. Additionally, the files
were transferred to IP addresses that are not owned or
controlled by ACME Corporation.
Analysis of the server access logs indicated that Drew had been
logging into the R&D database for several weeks prior to the
external file transfers taking place. Network logs from the
Intrusion Prevention Systems (IPSs) indicated that the files of
interest had been transferred to Drew’s desktop computer prior
to the external transfer. ACME has a strict policy against
maintaining intellectual property anywhere other than the
designated servers. File access logs on the R&D servers
confirmed that the account belonging to Drew had copied the
files in question.
At this point, fearing a loss of intellectual property, in addition
to numerous policy violations, ACME called in the digital
forensic team to take over the investigation. The forensics team
proceeded to capture the log files from relevant computer
systems and created a forensically sound copy of the hard disk
drive on Drew’s computer. The log files investigated included
the corporate mail, domain name server (DNS), and dynamic
host configuration protocol (DHCP) servers, as well as physical
access logs. Additionally, packet capture logs from the firewalls
and intrusion detection system (IDS) were gathered and
analyzed. This detailed investigation revealed that file transfers
of intellectual property were indeed done from Drew’s
computer, however, Drew’s account was not logged in at the
time of the transfer. The only account active on the suspect
computer was an anonymous account that had been created on
9/17/2016 at 9:57 p.m.
The following notes were provided by the Forensic Team:
Forensic Team Investigation Notes Notes from the investigative
team about the forensic findings of the hard drive image
4. obtained from Drew Patrick’s hard drive:
Western Digital Hard Drive 500 GB with serial number
duplicated using forensic toolkit (FTK) software to preserve the
original hard drive image. A hash was created for the original
and the copied im
The operating system of the image was Windows-based. The
operating system used a new technology file system (NTFS) file
Windows Forensic Toolchest. The sort and index functions were
used to isolate the files needed for further analysis. These files
include types SQL, Excel, email, chat, and HTML. Slack space
was also analyzed.
Files and Findings EMAIL (Microsoft Outlook): Numerous
emails were found that contained references to proprietary
information. Some emails were to non-ACME Corporation email
accounts, and they promised information pertaining to
equipment design. Follow-up emails were found that asked for
assurance of a promised managerial position.
CHAT (AOL Instant Messenger): Several chat conversations
were recovered containing information about possession of
proprietary documents.
SQL (Microsoft Database): SQL database files revealed
proprietary information and connection logs to a remote SQL
server. Two additional SQL database files were encrypted and
were not successfully unencrypted.
EXCEL (Microsoft Excel): Numerous Excel files were located
on the hard drive. These files contained parts list and parts
specifications concerning proprietary construction equipment.
These files had csv and xls extensions.
5. HTML: Recovered internet web browser cache revealed that the
dark web was searched for proprietary information brokers. An
email address was created to correspond in the dark web for
buyer transactions called
[email protected]
Internet cache also revealed that YouTube was searched for the
subjects “selling intellectual property” and “selling on the dark
web.” Recovered internet browser history revealed pictures and
illustrations on encrypting SQL database files. Internet browser
history also revealed searches concerning how to exploit the
vulnerabilities of an SQL database.
SLACK SPACE (hidden data and temporary files): Hidden
information in the slack space was revealed to contain
temporary internet files on searches for “advertising stolen
data” and “hacking sql servers.” These files, once revealed,
were in plain text and read using Notepad.
ISE 640 Milestone One Guidelines and Rubric
Overview:
The milestone assignments in this course directly support you in
the completion of your final project, a forensic investigative
report. Consider the feedback you have received in class
discussions, along with notes you have made in your non-graded
investigative journal, to complete this milestone assignment.
This is Milestone One, a draft of Final Project One: Report. The
final product will be submitted in Module Nine.
6. Please note that your non-graded investigative journal will be
submitted with this milestone to ensure completion. Make sure
that you are adding to your investigative journal as you
complete each module.
Prompt:
For the summative assessment, you will be taking on the role of
a cybersecurity practitioner. You will need to act as a domain
expert communicating to a non-expert stakeholder. For this
milestone, you will be providing a summary of the scenario
from the forensic notes document. You will also be explaining
the relevant procedures needed to maintain evidentiary
integrity: legal concerns, processes and procedures, and chain
of custody. Lastly, you will be explaining details of the
investigation, such as resources needed, methods, and findings.
Ensure you review the full scenario in the main project
document as well as the forensic notes document before drafting
your report.
Specifically, the following critical elements must be addressed:
I. Executive Summary: Set the stage for your report, providing a
brief overview of the situation and the stakeholders who are
involved.
II. Legal Concerns: Describe the problem(s) and objectives you
are working with the company’s attorneys to solve.
7. III. Relevant Procedures: In this section, you will outline the
steps that (hypothetically) you will have to take prior to or as
you investigate in order to maintain evidentiary integrity. Use
your experiences from other situations you are engaging in
within the lab environment to inform your responses.
A. Processes and Procedures: Describe processes or procedures
necessary for handling a criminal situation by an internal
employee.
B. Chain of Custody: Explain how to maintain the chain of
custody as you investigate the various aspects of the incident.
Support your response with specific examples.
IV. Details of Investigation: Based on your experiences in the
labs, there will be specific resources, methods, and tools
necessary to support the investigation in the scenario.
A. Resources Needs: Explain what resources (team
knowledge, skills, and abilities) are necessary for gathering the
evidence for this forensic investigation. Provide examples based
on your experiences from the labs.
B. Methods: Describe the specific forensic method or
approach you used to effectively leverage your available
resources.
C. Findings: Describe the specific findings and the forensic
tactics and technologies you employed to reach them.
8. V. Investigative Journal Notes: Submit your investigative
journal that outlines most of the basics from each of the
modules upon which you based your notes.
Rubric
Guidelines for Submission: Your assignment should adhere to
the following formatting requirements: Write 4 to 5 double-
spaced pages using 12-point Times New Roman font and one-
inch margins. You should use current APA style guidelines for
your citations and reference list. Be sure to attach both
Milestone One and investigative journal files.