Forensics Investigation Report
Accuracy International (AI)
Prepared for
Head of Forensic Department
By
<
Your Name goes here
>
Table of Contents
1.
INTRODUCTION
3
1.1
Nature of incident
3
1.1.1
Location
3
2.
VICTIMS
3
2.1
Victim details
3
3.
LOCATION OF EVIDENCE
3
3.1
Evidence description
3
3.1.1
System, Network, Server Descriptions
3
3.2
Seizure details
3
3.3
Handling Details (Chain of Custody)
3
3.4
Location of Evidence
4
4.
DEFINITIONS
4
4.1
Definitions
4
4.2
Tools
4
5.
PRESERVATION OF EVIDENCE
4
5.1
Validation of Original Evidence
4
5.1.1
Procedures
4
5.1.2
Result
5
5.1.3
Validation
5
5.2
Imaging
5
5.2.1
Procedures
5
5.2.2
Result
5
5.2.3
Validation
5
6.
INITIAL EVALUATION OF THE EVIDENCE
5
6.1
Existing Data Details
5
6.1.1
.
5
6.1.2
5
7.
ANALYSIS STEPS
5
7.1
Procedures
5
7.1.1
5
7.1.2
5
8.
RESULTS
6
8.1
Pertinent Document Summaries
6
8.1.1
Document 1 Summary –
6
8.1.2
Document 2 Summary -
6
8.2
Pertinent Images Summary
6
8.2.1
Image 1 Summary –
6
8.2.2
Image 2 Summary –
6
9.
CONCLUSIONS
6
9.1
Summary
6
1.
INTRODUCTION
1.1
Nature of incident
Accuracy International (AI) is a specialist British firearms manufacturer based in Portsmouth, Hampshire, England and best known for producing the Accuracy International Arctic Warfare series of precision sniper rifles. Earlier this year, AI's computer network was hit by a data stealing malware which cost thousands of pounds to recover from. As part of an ongoing covert investigation, the head of Security at AI (DG) has hired you to conduct a forensic investigation on an image of a USB device. The USB device, it is a non-company issued device, allegedly belonging to an employee Christian Macleod, a consultant and technical manager at AI for more than six years.
The USB device in question allegedly was removed from Christian's workstation at AI while he was out of the office for lunch, the device was imaged and then it was plugged in back into Christian's workstation. You have been provided with a copy of that image (the original copy is at the moment secure in a secure locker at the security department).
1.1.1
Location
Research and Development department
2.
VICTIMS
2.1
Victim details
Accuracy International (AI)
is the victim in this case
3.
LOCATION OF EVIDENCE
3.1
Evidence description
3.1.1
System, Network, Server Descriptions
3.1.1.1
System 1
3.2
Seizure details
An identical copy of the suspect’s USB stick has been made for Forensic analysis on 16
th
Feb 2015.
The USB stick was then returned to the suspect’s work computer, while he was at lunch.
3.3
Handling Details (Chain of Custody)
16/02/2015 12:30
seizure of the USB stick by investigator David Chadwick.
16/02/2015 12:45
an ISO image was created, which is a digitally identical copy of the original USB stick – verified by investigator Diane Gan
3.4
Location of Evidence
The original ISO has been placed in the secure locker, No 1625
A copy of the ISO has been passed to the Forensic Department for anaylsis.
1. Forensics Investigation Report
Accuracy International (AI)
Prepared for
Head of Forensic Department
By
<
Your Name goes here
>
Table of Contents
1.
INTRODUCTION
3
1.1
Nature of incident
3
1.1.1
5. CONCLUSIONS
6
9.1
Summary
6
1.
INTRODUCTION
1.1
Nature of incident
Accuracy International (AI) is a specialist British firearms man
ufacturer based in Portsmouth, Hampshire, England and best kn
own for producing the Accuracy International Arctic Warfare se
ries of precision sniper rifles. Earlier this year, AI's computer n
etwork was hit by a data stealing malware which cost thousands
of pounds to recover from. As part of an ongoing covert investi
gation, the head of Security at AI (DG) has hired you to conduct
a forensic investigation on an image of a USB device. The USB
device, it is a non-
company issued device, allegedly belonging to an employee Chr
istian Macleod, a consultant and technical manager at AI for mo
re than six years.
The USB device in question allegedly was removed from Christi
an's workstation at AI while he was out of the office for lunch, t
he device was imaged and then it was plugged in back into Chri
stian's workstation. You have been provided with a copy of that
image (the original copy is at the moment secure in a secure loc
ker at the security department).
1.1.1
Location
Research and Development department
6. 2.
VICTIMS
2.1
Victim details
Accuracy International (AI)
is the victim in this case
3.
LOCATION OF EVIDENCE
3.1
Evidence description
3.1.1
System, Network, Server Descriptions
3.1.1.1
System 1
3.2
Seizure details
An identical copy of the suspect’s USB stick has been made for
Forensic analysis on 16
th
Feb 2015.
The USB stick was then returned to the suspect’s work compute
r, while he was at lunch.
3.3
Handling Details (Chain of Custody)
16/02/2015 12:30
seizure of the USB stick by investigator David Chadwick.
16/02/2015 12:45
7. an ISO image was created, which is a digitally identical copy of
the original USB stick – verified by investigator Diane Gan
3.4
Location of Evidence
The original ISO has been placed in the secure locker, No 1625
A copy of the ISO has been passed to the Forensic Department f
or anaylsis
4.
DEFINITIONS
4.1
Definitions
Acquisition of Digital Evidence:
Begins when information and/or physical items are collected or
stored for examination purposes. The term "evidence" implies t
hat the collection of evidence is recognized by the courts. The p
rocess of collecting is also assumed to be a legal process and ap
propriate for rules of evidence in that locality. A data object or
physical item only becomes evidence when so deemed by a law
enforcement official or designee.
Data Objects:
Objects or information of potential probative value that are ass
ociated with physical items. Data objects may occur in different
formats without altering the original information.
Digital Evidence:
Information of probative value stored or transmitted in digital f
orm. Physical Items: Items on which data objects or information
may be stored and/or through which data objects are transferred
.
Original Digital Evidence
: Physical items and the data objects associated with such items
at the time of acquisition or seizure.
Duplicate Digital Evidence:
An accurate digital reproduction of all data objects contained o
n an original physical item.
8. Copy:
An accurate reproduction of information contained on an origin
al physical item, independent of the original physical item.
4.2
Tools
5.
PRESERVATION OF EVIDENCE
5.1
Validation of Original Evidence
5.1.1
Procedures
5.1.2
Result
5.1.3
Validation
5.2
Imaging
5.2.1
Procedures
5.2.2
Result
5.2.3
Validation
< Description of any validation here >
6.
INITIAL EVALUATION OF THE EVIDENCE
6.1