Assignment Task:
MyHeritage Company is an online medical services platform founded in 2015, which provides various services to patients, such as DNA tests, etc. On 10th November 2018, the company found that the majority of its user's records were breached, where online servers were compromised due to a DDoS attack. As a result, they have assigned the case to a forensic investigator who has conducted some investigations into evidence collection and identification of perpetrators.
The investigator seized the manipulated workstations. The initial investigations have shown that some of the workstations were compromised due to a Malvertising, in which some records were lost a few months before the cyber attack was launched. The forensic examiner has found logic bombs in some workstations in which the cyber attacks could have been linked to those programs. Some of the web browsers had malicious extensions violating the company's policy. Many of the workstations had no proper antivirus protection and firewalls configured.
The company used Google Drive as its means of sharing online records with staff. Windows 10 was the main OS on the workstations. However, some staff were using Mac OS on their laptops. They could work remotely from any public network, but they were recommended to use private VPNs. Staff were also using iCloud for storing some of the company's data. VMWare was used on some of the workstations for specific applications installed on Ubuntu, but it was not supported by the company's IT services.
The examination has shown that some of the email accounts were hacked by spear-phishing, login credentials were stolen, and some amounts were transferred to some accounts which are not traceable. The Fedwire system was used in the attack which allowed cybercriminal/s to transfer the funds to the intermediary banks. The email attachments showing transactions and communications were successfully extracted by the investigator.
The investigation has shown that NetWitness was installed on some of the workstations. The users of the applications cannot be detected. Also, USB Oblivion was found on a few workstations. VeraCrypt has been installed on the workstations to hide some encrypted files. Many documents including word files excel files, and image files were recovered.
Mobile phones of suspects were seized and investigated. The operating systems on the mobile phones were Android and iOS. The investigated applications were Hotspot Shield, EncryptMe, Photoshop Express, WhatsApp, and some other photo editing and remote desktop tools. Graphic files stored on the mobile phones were png, and gif files. Cloud data applications, e.g. iCloud, were also installed on mobile phones for sharing image files and other sensitive data.
The investigator has done imaging of all hard disks. Most of the data files were collected and analysed through FTK Imager, in which the examiner constantly verified integrity checking.
Given the scenario and seized pieces of evidence by the investigators, it is your role as an investigator to prove or disprove the allegations of any criminal activities, but also of evidence tampering. Answer the following questions in relation to the scenario given. In your answers, you may wish to consider the following points:
1. It is critically important that you explain why a specific digital forensic evidence from the scenario falls into a particular category, such as network, email, operating system, etc.
2. Sometimes particular digital forensic evidence from the scenario can fall into multiple categories. If you wish to use forensic evidence to answer a question, you must adapt your answer to discuss how the forensic evidence is related to the particular digital forensic investigation.
Answer the following:
Question 1: Identify and discuss any digital evidence relating to network as outlined in the scenario. Make a recommendation on how to search for the evidence and any appropriate tools that can be used, including the pros and cons of the tools.
Question 2: Discuss the steps (standard procedures) that need to be taken to collect the evidence relating to the allegation and any challenges or issues that you might face.