Answer:
A digital forensic investigation is a special case of a digital investigation. Where the procedure and techniques are used will allow the results to be entered into cost of low foreg on investigation may be started to answer a question about whether or not centraband digital images exist on a computer.
Here we are considering the case of Global Finance Company with wide range of financial products and wide range of customers throughout the world. A suspect of compromise has been detected from the manager's computer. Now the team has been deployed to the branch office and conduct the Digital Forensic Investigation.
Concern of the Company
1. Regular updates for application infrastructure and network infrastructure.
2. One branch managers from porisbane branch felt compromises in his computer.
3. Both the servers and work station from all the offices are based on Microsoft Windows.
4. The firewalls and network segmentation are fully implemented.
5. Through intrasion detection and logging exist in the brances these are hardly used.
Digital Forensic Investigation Approach
The audit term of the Global Finacnce Company can follow four step. The digital forensic investigation model stands to be most effective model for investigation of the compromise happened int he reginal branch of the Global Finance Company.
1. Collection
a. All information from the manager's workstation, servers and other workstations must be collected.
b. Obtain all the important informtation.
c. Identify storage context noth internal and external devices.
d. Forensic tools that are applicable and to be used for the investigation are to be listed and made available for usage.
e. Target computer forensic imaging to be done and hashed to check the integrity of data.
f. Line network traffic has to captured.
Digital Evidance Collection done in two stages:
Volatile memory is the temporary memory and primary volatile memory is RAM
By cinning command: Cryptcat6543 -k key
Computer data can now required with the command Cryptcat -1 -p6543 -k key>>
Non volatile Memory Acquisition: Permanent memory or volatile memory stands significant source for the digital forensic investigation.
Parmanent data is collected through both online and offline methods:
Offline data is collected from the hard drive applications tool such as Guymayers etc.
Online data like firewall logs, antivirus logs and domain controller log with help of wires work and ethernal collected.
2. Examination
Once the data collected detailed examination is done by comparing the original and logical copies collected. Such examination gives us clues of how manege for window registry examination. Command used echo text_mess > file1.text : file2.txt
The above file retrieved through the command more < file1.txt : file2.txt
The network forensic is enabled using the tools and techniques so that the following potential information can be accessed.
System Information, Service listing, Process listing, Registry information, Binary dumped of memory
3. Analysis with Assumption
Many tools and methodologies are used by the audit team to analyse the collection and examined evidence. Analysis is done according to the following:
a. Leyword searches in all the files
b. Recovering the deleted files
c. Registry information extraction from the workstation
The tools used in this phase are FTK and ILOOKIX. These tools are helpful to recover the document, chat, logs, emails.
4. Report
The final report is generated by the audit team
Purpose of report Digital Forensic investigation conducted on the compromise of manager's computer
Author of the report Aufit Team
Incident Summery The source of compromise are x, y, x
Evidence All the effected files, registry, log files
Analysis All the analyzed data analyzed
Conclusion All digital evidence are extracted and found from the source
Document support volatile and non volatile data, tools, log info, registry info and so on.
