Question

As part of the duties of a digital forensics examiner, creating an investigation plan is a standard practice. Write a 3 to 4 (not including title or reference page) page paper that describes how you would organize an investigation for a potential fraud case. In addition, list methods you plan to use to validate the data collected from drives and files such as Word and Excel, with hashes. Specify the hash algorithm you plan to use, such as MD5 or SHA1. Make sure you follow the grading rubric and write your paper in APA format.

Answer 1

Answer:

A digital forensic investigation is a special case of a digital investigation. Where the procedure and techniques are used will allow the results to be entered into cost of low foreg on investigation may be started to answer a question about whether or not centraband digital images exist on a computer.

Here we are considering the case of Global Finance Company with wide range of financial products and wide range of customers throughout the world. A suspect of compromise has been detected from the manager's computer. Now the team has been deployed to the branch office and conduct the Digital Forensic Investigation.

Concern of the Company

1. Regular updates for application infrastructure and network infrastructure.

2. One branch managers from porisbane branch felt compromises in his computer.

3. Both the servers and work station from all the offices are based on Microsoft Windows.

4. The firewalls and network segmentation are fully implemented.

5. Through intrasion detection and logging exist in the brances these are hardly used.

Digital Forensic Investigation Approach

The audit term of the Global Finacnce Company can follow four step. The digital forensic investigation model stands to be most effective model for investigation of the compromise happened int he reginal branch of the Global Finance Company.

1. Collection

a. All information from the manager's workstation, servers and other workstations must be collected.

b. Obtain all the important informtation.

c. Identify storage context noth internal and external devices.

d. Forensic tools that are applicable and to be used for the investigation are to be listed and made available for usage.

e. Target computer forensic imaging to be done and hashed to check the integrity of data.

f. Line network traffic has to captured.

Digital Evidance Collection done in two stages:

Volatile memory is the temporary memory and primary volatile memory is RAM

By cinning command: Cryptcat6543 -k key

Computer data can now required with the command Cryptcat -1 -p6543 -k key>>

Non volatile Memory Acquisition: Permanent memory or volatile memory stands significant source for the digital forensic investigation.

Parmanent data is collected through both online and offline methods:

Offline data is collected from the hard drive applications tool such as Guymayers etc.

Online data like firewall logs, antivirus logs and domain controller log with help of wires work and ethernal collected.

2. Examination

Once the data collected detailed examination is done by comparing the original and logical copies collected. Such examination gives us clues of how manege for window registry examination. Command used echo text_mess > file1.text : file2.txt

The above file retrieved through the command more < file1.txt : file2.txt

The network forensic is enabled using the tools and techniques so that the following potential information can be accessed.

System Information, Service listing, Process listing, Registry information, Binary dumped of memory

3. Analysis with Assumption

Many tools and methodologies are used by the audit team to analyse the collection and examined evidence. Analysis is done according to the following:

a. Leyword searches in all the files

b. Recovering the deleted files

c. Registry information extraction from the workstation

The tools used in this phase are FTK and ILOOKIX. These tools are helpful to recover the document, chat, logs, emails.

4. Report

The final report is generated by the audit team

Purpose of report Digital Forensic investigation conducted on the compromise of manager's computer

Author of the report Aufit Team

Incident Summery The source of compromise are x, y, x

Evidence All the effected files, registry, log files

Analysis All the analyzed data analyzed

Conclusion All digital evidence are extracted and found from the source

Document support volatile and non volatile data, tools, log info, registry info and so on.