Assessment-Case study

Objectives

This assessment item relates to the course learning outcome 1 to 9 as stated on page 1 of the course profile.

Enabling objectives
1. Apply the digital forensics methodologies.
2. Write an analysis of a case study.
3. Prepare an outline of a professional digital forensic plan.

Instructions
The Case - A Digital Forensic Investigation Plan

Summary:
Delta Financial Services (DFS) is a multinational company that provides financial services for employees, individuals and companies. DFS employs around 250 employees and the company serves more than 3 million customers in Australia and New Zealand.

DFS has invested heavily in information technology for supporting its business operations and achieving competitive advantages over its competitors. Major investments were made by the company in the early 2000s but management has lost focus in updating the networks and application infrastructure that supports the business operation in recent years. The network environment between all of DFS offices is flat and relatively unrestricted. Users from one office can access systems and servers from another office. Workstations and servers are typically Macintosh-based. Firewalls and network segmentation are implemented poorly throughout the environment. Intrusion detection and logging exist on systems but they are not effectively used.

John Stuart at the Perth office comes in to work early one day and when he connects to his server, he finds that someone is already connected with several windows open. As he stares at it, the window disconnects. He connects again, but is logged out. He calls the IT manager, who follows a plan for such incidents. This includes disabling John's account and examining server security logs. He finds the IP address of the computer that is connected to John's computer and finds it belongs to a computer used to run a data projector at the New Zealand office. He rings the New Zealand office to identify the user of the computer and the logs of who has swiped into the secure building. There were four people in the building at the time, but one has since swiped out and called in sick - Tom Wills. A swift meeting with management concludes that Tom has at least violated company policy by accessing a colleague's account, but are unsure if he has violated any other policy or engaged in criminal activity, such as embezzlement. They wish to investigate and find out the extent of Tom's activities, if others are involved, who is affected and whether criminal charges need to be laid.

A team of auditors is formed by the Information Security Office to investigate the incident at the New Zealand office. Apart from reviewing paper based company documents, the auditing team is tasked to undertake digital forensic analysis of the computer systems at the Perth office. This involves gathering digital evidence from relevant desktop PC's and e-mail accounts.

Requirements:
As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Macintosh-based, this plan should detail the following:
- propose the appropriate digital forensic methodology for the investigation and provide justification for proposing this digital forensic methodology
- describe the resources required to conduct a digital forensic investigation, including skill sets and required tools of the team members.
- outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence.
- outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a Macintosh-based computer.
- outline an approach to recover the files that have been deleted from the computer.
- develop relevant security policies for the company.
- provide recommendations to the company for dealing with the problem.

Tips for preparing your digital forensics investigative plan
In writing the digital forensics investigative plan, students need to address the following points. Do note that points listed below are not exhaustive and need to be considered as helpful tips.
- Justify a need for digital forensics methodology and consider scope of the case including nature of alleged misconduct leading to consideration of how electronic and digital evidence may support the investigation. The plan should consider how digital forensics differs from other techniques (such as network forensics, data recovery) and detail the overall steps for the systematic digital forensics approach.
- Consider the required resources and include details regarding preparation plan for evidence gathering (such as evidence forms, types, storage media and containers), forensics workstation and peripherals needed, software/tools for analysis depending on the type of evidence to be gathered including rationale for selected tools, and consideration of team member skills in digital analysis (such as OS knowledge, skills for interviewing, consultation, working as per the needs of the auditing team and understanding of law and corporate policies).
- Detail the approach for data acquisition including the different types of evidence that can be gathered and their source depending upon the nature of the case and scope of investigation, develop a plan for data acquisition including rationale for selected plan and contingency planning, detail type of data acquisition tools needed including rationale and an outline for the data validation & verification procedures.
- Provide an outline of the forensic analysis procedures/steps depending upon the nature of evidence to be collected, and detail the validation approach. This can include techniques to counter data hiding, recovering deleted files, procedures for network and e-mail analysis.
- Provide an outline of the approach to recover the files that have been deleted from the computer.
- Develop suitable security policies for the company.
- Provide appropriate recommendations to the company for dealing with the problem.
- Prepare a professional report with an Executive Summary, a Word generated table of contents, an Introduction, a body of report with proper headings and sub-headings, and a Conclusion.