Delivery in day(s): 4
COIT20267 Computer Forensics Editing and Proof Reading Services
UniCare faced problem regarding the computer network security which is highly concern topic for an educational company. The security for the network is done to prevent the phishing and fraud emails to the users. This is done to ensure the privacy of the information shared over the network. The check for the issues generated during the planning of forensic report is also illustrated in this report. This digital forensic report is presented over the given case scenario of the education company which uses the MAC and RFID technology for performing the operations. This report reveals the approach required for the developing this report and steps required to fulfill the task and activities required for the forensic plan of computer system.
Justification for the digital forensic methodology and approach
The need of digital forensic is to reveal the truth and evidence of the incident. The methodologies and techniques used in this report give the result of analyzing, interpreting and reporting of the evidence. This report also tells about the approach of applied investigation in the digital forensics. The advantage of digital forensics is that it carries out investigation of each technical factor which includes computing and communication devices. The observations include the variations and similarities between the ways of making digital forensics. Forensics provides advantages in many tasks such as:
1.Troubleshooting: This issue can be considered by using the forensic tools and the finding of the results includes the location access, network configuration, resolving functional problem.
2.Log monitoring: This can be done by analyzing log entries and then correlating the cases. This can help in assisting the evidence of incident.
3.Data backup:Many of the times data are deleted, modified or shared with some criminal purpose but there are several forensic tools which provide the case by case study to recover it.
4.Data acquisition: Every data should be properly acquired from the employees who are leaving the company.
5.Compliance with diligence and regulations: New and developing regulations provide protection of sensitive data. Forensics helps organizations to comply such requirements (Casey, 2011).
Required resources to conduct Digital Forensic Investigation
The digital forensic requires a well-organized practice on the resources and tools that can process analyze, understand the scenario and provide digital evidence. The resources which include in this investigation tell about verification of applied activities, happening of attack, restore of critical information, prediction of upcoming threats and availability of data for criminal proceedings.
(1) Acquisition resources:
The software resource includes the acquisition resource, digital evidence bags, and analysis tools. In the acquisition process, the fact to be considered is that investigator must collect all the information and keep it safe with the help of trusted methodologies and tools. These resources of evidence are termed as acquisition resources. Some of the safe tools are described below: is safe back which develops a mirror image of the information file or it can complete by making bit-stream backup file. This would largely help in providing proper gathering and preserving techniques for increasing the speed of the investigation process.
(2) Digital evidence bags:
It is regarded as the vital tool for the digital forensics in getting evidence for any security threat. It offers both selective and intelligent imaging methods to record the evidence of the theft occurred. It includes components such as tag extension, index, and bag files and all these together are termed as Evidence unit (EU). This part combines with the customizable index definition and provides a proof of flexibility of the used framework. The methodologies of selective and intelligent imaging are responsible for the flexibility. Operating of selective imager includes the functioning in different modes defined earlier and have the ability to a DEB by manually or semi-automatic mode or fully automatic mode. In the intelligent imaging, the category of the files are decided and this file is further process for automatic imaging and this provides a different approach which is consistent and acquires proof in a unique manner.
Figure 1: Digital evidence framework
(3) Analysis tools:
These tools come into phase after investigator collects all the evidence related to the scenario. The analysis process includes different steps which boost the speed of the report making for the digital forensics. The first step is examining the digital evidence on the basis of clues which are listed in the file and documentation of the incident. The provided software packages used for determining the bit stream image and provides installed program list. Many of the software helps in hiding, protecting, encrypting and deleting files from the access of any other person such as ‘True Crypt’ or ‘hide and seek’. They have ability to provide the features of hiding the evidence and additional tools which are necessary for digital forensics.
The best digital forensic report is developed when the investigators have proper skills and good training course. The following factors are the important criteria of an investigator.
Skills of investigator: The professional investigation is very hard and rules specified with a high number of difficult circumstances. It involves various sector of investigation such as financial, compliance and information system. It requires more of subjective thinking and rather checking objective sheets. The important skill-set of the investigators is that they should have IT background and law enforcement background.
Training of the staff: The profession of investigation requires a good training which makes the investigator know its responsibility towards the investigation and the collection of information about the incident. Training helps in knowing the challenging technology and the environment based on the information technology. The nature of the incident is always varied with time and place and training helps in carrying out different investigations on different incidents.
Licensing of the policies: The certification is required for the evidence such that it provides a validation of truth about the collected information. The skill of accounting and masters is highly recommendable in this section. The licensing of policies is the required the computer forensic certification and digital forensic certifications for the amendment of the forensic report (Forensic control, n.d.).
Some online technical resources:
1.Computer Crime Research Centre - http://www.crime-research.org/
2.Computer Forensics Links - http://staff.washington.edu/dittrich/
3.Computer Forensics Links and Whitepapers- http://www.forensics.nl/links/
4.Computer Forensics Tool Testing Project - http://www.cftt.nist.gov/
5.Digital Mountain Technical and Legal Resources - http://www.digitalmountain.com/technical_resources
6.The Electronic Evidence Information Centre - http://www.e-evidence.info/
7. Forensic Focusñ Billboard and Link - http://www.forensicfocus.com/
Approach for evidence identification and acquisition in Digital forensic
The digital forensic report uses the approach of ‘Liforac’ model. It consists of four different dimensions: Laws and regulations, timeline, knowledge, and scope.
Laws and regulations: This dimension determines the need of the investigator and finds the concerned laws and regulations for making the legal bound of the discipline. It merely guides the system of any company for better understanding of technical aspects with respect to the legal subject.
Part 1: Common cybercrime laws-The existence of such penalties laws can control the traditional crimes. There were many stakeholders who wrote many laws regarding the treat circumstances and legal punishment of acts related to issues of cyber threats and devices in information system technology.
Part 2: Specific laws for cyber-These laws are termed as net litigation which controls mainly of the cyber crimes. The stakeholders of these laws focus on current issues of the cyberspace, computers, media, and communication. During the legal interpretation dispute, these laws provide the elaborated information for the incident. They also provide the decision of preparing fast recovery in the systems and educate about preservation of evidence.
Part 3: Decision and punishment platform- The crucial part of the punishment for the cybercrime includes the court cases and precedents. It establishes some principles and rules for another case so that fast decision can be taken on the same issues.
Timeline: This dimension concentrates on different process view of model which determines the process of sequence which an investigator wants to execute. The visualization of the report is given by the sequence of events that shows the relationship between different stages of incident.
This timeline representation consists of following parts
Part 1: Implied process-These processes may not be important for the completion of the report but without them, the completion can be rendered such as data integrity.
Part 2: Explicit process-These processes performs important part in the completion of the digital forensics. They highly contribute towards the awareness, authorization, planning, searching, and identification of evidence.
Part 3: Before the investigation- This part includes the completion of the information gathering and possible activities before the report starts. This part of time frame includes awareness, authorization, and planning. It helps in selecting the mode of investigation and analysis and pre-acquisition planning.
Part 4: During the investigation-This part involves the surety of complete collection of information regarding the clues and this leads to a successful completion of the report. It provides the chain of sequence implemented and has there process: identification and search of evidence, notification of any wrong proof, examining the evidence.
Part 5: After the investigation- This is the part where actual acquisition ends with all possible activities. It ensures the safe storage and accomplishment of all the evidence. It includes the consideration of the hypothesis and control of future incident regarding existing technology in the organization.
Knowledge: This involves the knowledge of changing technologies, tools, techniques and keeping update with the all new and emerging developments. Investigators should be fully prepared for this aspect.
Part 1: Stream of Computer Science- Investigator must have the knowledge of computer science foundation and architecture of the components in the computer. This information provides help in certain forensics.
Part 2: Advancement in technology- The regular update in the knowledge of the new trends and events of the advanced technology keeps the investigator active during the digital forensics.
Part3: Information system- Its knowledge is responsible for the decision-making in organizing, storing and presenting the information. A proper system helps in developing the understanding of principles.
Part 4: Social Sciences- Under different circumstances, people used to react in different way. An investigator should how to face the people who are involved in the incident.
Scope: It focuses on practical problems of the digital forensics. When issues are identified in the incident, this would limit the scope of the digital report.
Part 1: Machine Accessibility-Achieving access to the systems and encountering the problems greatly helps in determining the evidence associated with the infected devices. The investigator also gets the access to the username and password of the infected credentials.
Part 2: Operating System dependency-Regular practice is required for the interaction with the operating system. Different operating systems have different access requirements and an investigator should be well known to all the accessible problems related to the operating system.
Part 3: Data modification-Any of the users can modify the data from the systems and this can affect the evidence of the system during acquisition. There must be control methods such as proper training and updating data for such problems.
Part 4: Authenticity demonstration: Proper authentication of the evidence provides a better digital forensic report and it should be done prior to the legal acceptance. The controlling techniques are circumstantial evidence and evidence developed from the digital signatures and hashing techniques.
Part 5: Court Acceptance- All the evidence found in the forensic are not always correct and accepted by the law of crime. Advanced technology, awareness about current theft and education about security measures and policies are major key factors in the controlling techniques (Grobler and Solms, 2007).
Discussion on some topic regarding case study
Many scenarios are discussed during forensic investigations which are stated below:
1. Distributed Denial of Service attacks
The unusual use of server from other company accessing the internet border router or through any other device can affect the bandwidth speed of the institution. The issues of using internet bandwidth are also arising during recent years from public Domain Name System (DNS) in many organizations.
Questions arise from the discussion:
How could activities in the forensic investigation help in solving DDoS attacks?
In what number of ways can this forensic report help for future DDoS attacks?
(Mittal, Shrivastava and Manoria, 2011)
2. Phishing attempts: A large number of spam emails received which claimed for an advertisement for promoting their joining to the competitor institution. The competitor also solicited the staff members to join their company through the emails only. Thus the competitor accessed the private information due to the advanced technology they have and the older system of the Unicareer’ failed.
Questions arise from the scenario:
a. This risk is time-consuming in nature, how should investigator give priority to their actions for the forensic plan?
b. How could the mitigation step be taken so that this will not happen again?
(Chaudhry, Chaudhry and Rittenhouse, 2016)
3. Identity mistake:There may fraud cases during admission of the students and the competitor can develop fake system to use credential of the fees department. This will create a fraud attempt in issuing the credit cards of the students.
Questions arise from the discussion:
How can tool of the forensic investigation help the organization in getting prediction for this risk?
Is privacy of the students going to exploit?
Steps were taken during the analysis
There are various steps which help the investigator in the tracking and assuring the proper collection of evidence and safely providing them for the proceedings.
(1) Verification:The response scenario of the incident is the primary step to verify that the incident actually took place or not. This will help in knowing the characteristics of the incident and provides the correct approach in the identification, preservation, and collection of the evidence.
(2) System description: This includes the starting of collection of evidence by making the notes, analyzing the systems, place of system location and role of the organization. The status of operating system and general configuration of the devices must be recorded.
(3) Evidence Acquisition: Determining possible sources of the data and the integration of the evidence should be verified. This is done for the development of the relationship between different entities of the incident. The collection of the data should be presented to the owners so that they can verify the strategies for executing the control and determining the impact.
(4) Timeline Analysis: This includes the analysis in the forensic lab which includes the checking of information such as modification time, accessing time, affected time and many other factors. This information is collected with help of variety of tools and extracted from the Meta layer of the file system. Many open and commercial tools are available for this analysis such as SIFT workstation.
(5) Media and Artifact Analysis: At this stage, many of the questions can be answered as per the achieved status of evidence. The super timeline must be incorporated so that multiple sources can be encapsulated into single entity. The knowledge of different artifacts reduces the analysis data amount.
(6) String or byte research: This research includes the use of tools to search byte signatures known as magic cookies with the help of tools and techniques. The regular expressions are used for the searching the string.
(7) Data recovery:The recovery of data from the file system is one of the steps to find the evidence with help of tools such as Sleuth Kit.
(8) Reporting results:This includes all the results of the analysis, actions performed, recommended improvements, applied policies, procedures, tools and other steps of the forensic report (ROCHA, 2014).
The policies are the clear statements for addressing the forensic consideration. They should be updated frequently. Different stages of report have different policy criteria.
1.The policy should clearly define the roles and responsibilities of the persons involving in the investigation.
2.For the forensic tool, the policy should provide the appropriate guidance to accomplish the forensic by the help of tools.
3.Data retention policies should be established to support historical reviews of the system and network activity.
4.Policies for amending the regular backups of data in system, frequent audit on workstations, servers and devices and records of authentication attempts.
5.Policies for maintaining the database file in common operating system and software deployment.
These policies provide the network security for the users of the university UniCareerand also accomplish a business growth against its competitor.
The case is analyzed and investigated properly and I recommend some of the points for the UniCareer so that data can be accessed efficiently by the users.
1.Good capability for performing the computer and network forensics.
2.Teams should handle the incident with robust capabilities.
3.Policies should clearly address the forensic considerations regarding roles and responsibilities, guidelines and procedures.
4.The legal proceedings of admissibility of evidence support the guidelines and procedures.
5.The process should be consistent and active in collecting the useful evidence.
6.The alternative sources should be considered while identification of the evidence.
7.The approach should consist of methodological steps with careful documentation of the findings.
8.There should be proper review of the procedures taken and activities done during the forensic investigation.
9.There should be proper evaluation of the files whether they are copies or original files.
10.The file integrity should be preserved and verified according to the standard of policies decided.
11.The evaluation should not focus on file extension rather they have to focus on content type in the file.
12.The investigator should use proper toolkit for data examination and analysis.
13.The actions done should be appropriate so that data can be preserved from the operating system.
14.Different OS has different types of shutdown process, the investigator should choose proper shutdown process for the identified OS.
15.There should be appropriate storage available for the network activity related task and results.
16.The investigator should focus on characteristics and impact of the incident on the fidelity and value of the data source can be considered (Kent et al., 2006).
Digital forensics provides the capability of ensuring the protection against the breaches. The company could face any of the breaches and this will affect their growth status and current users. This report concludes the justification of the use of digital forensic and approach involved in it. The steps of the forensic phase include the analyzing of incident. The appropriate security policies are stated and relevant recommendations are also provided in the report.
1.Adf media 2015, Digital Forensics Analysis Report, adfmedia, viewed 30 September 2017, http://www.adfmedia.org/files/CoalfireCMPvideosReport.pdf
2.Casey, E., 2011. Digital Investigations, elsevier, viewed 30 September 2017, https://booksite.elsevier.com/samplechapters/9780123742681/Chapter_6.pdf
3.Chaudhry, J., Chaudhry, S. and Rittenhouse, R., 2016, Phishing Attacks and Defenses, International Journal of Security and Its Applications, 10(1), pp.247-256.
4.Forensic control, n.d., An introduction to Computer Forensics by Forensic Control, Forensic Control, viewed 30 September 2017, https://forensiccontrol.com/resources/beginners-guide-computer-forensics/#resources
5.Grobler, M. and Solms, S., 2007, A BEST PRACTICE APPROACH TO LIVE FORENSIC ACQUISITION, citeseerx, viewed 30 September 2017, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.525.8125&rep=rep1&type=pdf
6.Infosec institute 2017, 22 Popular Computer Forensics Tools, InfoSec Resources, viewed 30 September 2017, http://resources.infosecinstitute.com/computer-forensics-tools/#gref
7.Kent, K., Dang, H., Grance, T. and Chevalier, S., 2006, Guide to Integrating Forensic Techniques into Incident Response, nvlpubs, viewed 30 September 2017, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf
8.Mittal, A., Shrivastava, A. and Manoria, M., 2011, A Review of DDOS Attack and its Countermeasures in TCP Based Networks, airccse, viewed 30 September 2017, http://airccse.org/journal/ijcses/papers/1111ijcses13.pdf
9.Morozini De Lira, Arnaldo. Claudio, Parisi. Ivam Ricardo, Peleias. & Reinaldo Severino Peters, Marcos. 2012. Uses of ERP systems and their influence on controllership functions in Brazilian companies, JISTEM - Journal of Information Systems and Technology Management. Vol. 9, No. 2, pp.323-352
10.ROCHA, L. 2014, Computer Forensics and Investigation Methodology – 8 steps, Count Upon Security, viewed 30 September 2017, https://countuponsecurity.com/2014/08/06/computer-forensics-and-investigation-methodology-8-steps/
11.Sladi?, G. Milosavljevi?, B. & Konjovi?. Z., 2012. Modeling Context for Access Control Systems, 10th Jubilee International Symposium on Intelligent Systems and Informatics, IEEE
12.Sullivan, C. 2012, Digital identity and mistake, International Journal of Law and Information Technology, 20(3), pp.223-241
13.Turner, P. 2006, Selective and Intelligent Imaging Using Digital Evidence Bags, DIGITAL FORENSIC RESEARCH CONFERENCE, viewed 30 September 2017, https://www.dfrws.org/sites/default/files/session-files/paper-selective_and_intelligent_imaging_using_digital_evidence_bags.pdf