Assignment: Forensic Investigation
Purpose
The purpose of this project is to provide an opportunity for students to apply forensic investigation competencies gained throughout this course.
Required Source Information and Tools
The following tools and resources will be needed to complete this project:
- Course textbook
- Internet access
- Computer with Paraben
- P2 Commander installed
- Mac OS JSmith.img (a Mac OS X image file used in Project Part 3)
Note: Check with your instructor if you do not have access to Paraben P2 Commander. You may be able to download a trial version or use other software, such as Forensic Toolkit (FTK) or EnCase Forensic to complete this project.
Learning Objectives and Outcomes
You will:
• Explain the rationale for computer forensic activities.
• Explain computer forensic investigation procedures.
• Evaluate sources of evidence.
• Analyze laws related computer forensics.
• Apply tools used in forensic investigations.
• Analyze digital evidence.
• Report findings.
• Assess business considerations related to computer forensic investigations.
Deliverables
Part 3:Analyzing Evidence from Mac OS X
Part 3: Analyzing Evidence from Mac OS X
Scenario
Two weeks ago, D&B Investigations was hired to conduct an incident response for a major oil company in North Dakota. The company's senior management had reason to suspect that one or more company employees were looking to commit corporate espionage. The incident response team went on-site, began monitoring the network, and isolated several suspects. They captured forensic images from the machines the suspects used. Now, your team leader has asked you to examine a forensic image captured from a suspect's computer, which runs the Mac OS X operating system. The suspect's name is John Smith, and he is one of the company's research engineers.
Tasks
• Review the information on the Mac OS X file structure provided in the chapter titled "Macintosh Forensics" in the course textbook.
• Using Paraben P2 Commander, create a case file and add the image the incident response team captured (filename: Mac OS JSmith.img).
• Sort and review the various directories within the Mac OS X image. Look for evidence or indicators that John Smith was or was not committing corporate espionage. This may include direct evidence that John Smith took corporate property, as well as indirect evidence or indicators about who the suspect is and what his activities were during work hours. You can use the software features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting files.
• Write a report in which you:
o Document your investigation methods.
o Document your findings. Explain what you found that may be relevant to the case, and provide your rationale for each item you have identified as an indicator or evidence that John Smith was or was not committing corporate espionage.
o Analyze the potential implications of these findings for the company and for a legal case.
Submission Requirements
- Format: Microsoft Word (or compatible)
- Font: 12-Point, Double-Space
- Citation Style: Follow your school's preferred style guide
- Length: 2 pages
Self-Assessment Checklist
- I have applied appropriate evidence collection and handling methods.
- I have correctly identified and analyzed evidence that is relevant to the investigation.
- I have analyzed business considerations associated with the scenario.
- I have analyzed legal considerations associated with the scenario.
- I have created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation.