Computer Forensics and Investigations - Assignment Example

? Computer Forensics and Investigations COMPUTER FORENSICS AND INVESTIGATIONS Introduction This paper is a discussion of aspects of forensic readiness planning and business continuity planning with regard to a web development company, Walton Web. In the paper, FRP and BCP are differentiated, while the importance of having both of them in an organization is emphasized. Concerning the goals set out in the development of an FRP and a BCP, a risk analysis based on the IT description of the company was carried out while giving evidence of the possibility of a lawsuit emanating from this risk. After identifying the risks, the paper goes on to name an example of legislation, which can be used against the company, in this case the Cookie law. Finally, the employee contract at the company needs to be studied with the aim of making a prospective employee be aware of these risks and know how to manage them without claiming ignorance. Question # 1 Forensic Readiness Planning Business Continuity Planning, and Their Testing Both forensic readiness planning and business continuity planning help a company in dealing with the effects of interruptions to their operations. Business continuity planning identifies the exposure of an organization to external and internal threats while synthesizing soft and hard assets to give the organization effective protection and recovery from these threats (Nelson, 2012, p. 23). It does this while maintaining the organization’s value system integrity and competitive advantage. A BCP acts as a roadmap on how to continue operations under adverse conditions. Forensic readiness planning, on the other hand, involves enabling an organization to have digital evidence available before the occurrence of an incident. Since digital evidence could be requested at any time in support of a formal process, an organization needs to have access to all evidence that supports its position in case such an occurrence takes place. While BCP encompasses an extensive range of threats to the organization’s operations, FRP is mainly concerned with the threat brought about by formal requests for digital evidence. An organization requires both an FRP and a BCP because they offer slightly different forms of protection to the company, both of which are vital and interdependent. Business continuity planning involves the development of a practical plan detailing how the organization will prepare for, while continuing to operate, a crisis or incident. The plan aids the organization to identify preventable risks, prepare for risks beyond its control, and respond to the occurrence of a risk. Forensic readiness planning deals specifically with the availability of the organization’s digital data if needed as evidence. It allows for the gathering of admissible evidence in a legal manner that does not interfere with business operations. FRP specifically prepares the organization for legal battles that may involve its digital data by gathering evidence on potential disputes and crimes that may impact it (Nelson, 2012, p. 25). Having both an FRP and a BCP increases the sense of security among the organization’s clients, personnel, suppliers, partners, investors, and vendors. When an organization plans for the occurrence of risks, these stakeholders can carry on with their duties with a sense of security. Planning allows the organization to consider the effects of interruptions to its operations while making priorities for the recovery process. It also helps the personnel learn what to do when interruption occurs, in order to minimize data loss and disruption. An organization’s FRP and BCP need to be tested often in order to enforce them and make adjustments. Most companies that practice these plans conduct bi-annual tests on them during which a mock ‘drill’ is performed for a specific risk. Over time, personnel may change, and the new staff requires to be initiated. Old staff also needs to be re-informed on the plans once in a while, with the most excellent method to do this being to visualize the situation. Changes in technology may prompt some adjustments during a mock exercise, and adjustments made during earlier testing being ratified as working and thus enforced (Nelson, 2012, p. 39). Question # 2 Risk Analysis Based on the scenario related to Walton’s Web Development Company and its IT description, with respect to its forensic readiness and business continuity objectives, there are several risks that face the company. The following is a risk analysis of the company with respect to BCP and FRP: One risk facing Walton is loss of governance. Because of Walton’s use of cloud infrastructure, the customer ultimately cedes control to the CP, or cloud provider, on various issues that could affect the company’s security and readiness for occurrence of risks. Since the company does not offer any commitment to give its clients this service, there is a gap left in security defenses. Another risk is lock-in, caused by the fact that there is very little on offer concerning procedures, tools, and standard data formats or interfaces of service that guarantee data, service portability, and application. This has the capability to make migration of data and services to another provider more difficult for the client. It also makes migration of services and data to an in-house Information Technology environment become difficult. Thus, dependency on particular cloud providers for the provision of service is introduced, especially if portability of data is not enabled. This is because portability of data is one of a web development company’s most fundamental aspects. Isolation failure is another risk to BCP and FRP. Shared resources and multi-tenancy are characters that define web development and cloud computing. The risk category covers mechanism failure in separating memory, storage, reputation among various clients, and even routing. It should, however, be considered that resource isolation mechanism attacks are less numerous with increased difficulty for any attacker to put in motion compared to traditional operation system attacks. By investing in complying with the risks, investment made to achieve certification may be risked via migration to a new system. If the service provider cannot give evidence of personal compliance with requirements deemed necessary or does not allow the client to perform an audit, then regulatory and standard requirements may be put at risk. In specific cases, use of public sound infrastructure gives the implication that various compliances are impossible to achieve. Management Interface Compromise is another risk involved in the implementation of FRP and BCP measures. Through the service provider’s customer management interface, it is possible to access data through the Internet while mediating access to larger resource sets, and thus, increase the risk, especially when combined with web browser vulnerabilities and remote access. Data Protection: web development poses various risks concerning data protection for service users and providers. It could be difficult for the service user, in his/ her role as controller of data, to check data handling practices of the service provider effectively and, thus, ensure that it is being handled lawfully. This problem is made worse in cases where there is multiple data transfer activity, such as between two service providers. It would be prudent for the company to provide data handling practice information while also offering certification summaries on the process of data processing and data security activities and controls of data that are in place. Incomplete or insecure data deletion: When a client makes a request aimed at deleting a cloud resource, this may result in wiping of data, just as happens with most operating systems. Timely or adequate deletion of data may be undesirable for the customer because extra data copies are stored but are unavailable, or because the disc to be destroyed also contains data collected from other clients. In this case, as there is multiple tenancy and hardware resources re-use, there is a higher risk to the customer as compared to dedicated hardware. The malicious insider is another risk to the service provider. While it is less likely to be a problem, compared to the risks already discussed, the damage it could cause is often greater than first imagined. The architecture of the service provider’s cloud service necessitates specific roles, which are a very high risk such as managed security service providers and CP system administrators. Question # 3 Legislation Affecting Walton Walton Web Development Company needs to be aware of the Cookie law that came into effect on 26th May 2011 in the UK. If a site is to use cookies, the EC directive regulations provide that specific information must be afforded to the visitors on the site and that his or her consent is necessary for the cookie placement (Nelson, 2012, p. 61). This regulation implemented 2009 E-Privacy Directive. The relevant rules are found in amended regulation six. Subject to the fourth paragraph, no one shall gain or store information, or get access to stored information in the user’s external equipment. The only way this information can be accessed is after the user has been provided with comprehensive and clear information regarding the purpose of access or storage of his or her information and gives their consent. Where there is the use of electronic communication networks by the same person for information access or storage in the user’s terminal equipment more than once, the user must be given the relevant information and give consent (Nelson, 2012, p. 92). Consent can be signified by a user who sets or amends their Internet browser’s controls, which they use or via the use of another program or application to signify their consent. Paragraph one of the regulations does not apply to technical access or access to information, aimed at carrying out communication transmission over a network of electronic communications or when this sort of storage is necessary for the provision of a service concerning information society, which the user has requested. The UK regulations mean that Walton website operators must never store information or access information in a user’s computer unless the subscriber has given them comprehensive and clear information regarding the purpose of access and storage, on top of waiting for the user’s consent (Nelson, 2012, p. 95). The requirement for consent was instituted to replace the earlier position that provided, for visitors, to have the option of refusing the cookies option. The only cookies that are not in need of consent are those necessary for the fulfillment of the user’s request. For example, this will cover the utilization of cookies to remember a client’s shopping cart as he or she moves through the website’s various pages. Other cookies such as those that seek to number the visitors to the Walton website and those that serve as advertising aids need consent before use. The term ‘consent’, while not defined in the 1998 Data Protection Act, is defined in the 1995 Data Protection Directive as all freely given information and specific indications of the user’s wishes (Nelson, 2012, p. 95). The Data Protection Act in the United Kingdom implemented this directive. The consent requirement has been subject to heated debate and discussion since publication of the E-Privacy Directive. The Article 29 Working Party, the UK Administration, and the IC office have all given opinions that are in conflict on how the requirement of consent will be put into practice. The government has opinions that differ on whether consent needs to be attained before placing the cookies. The Working Party claims that consent needs to be obtained prior to the placement of the cookies and/or any information stored in the subscriber’s terminal equipment is taken, normally referred to as prior consent. Informed consent is only obtainable if the user has been provided with prior information regarding the cookies sending and purpose. However, even with the suggestion of various methods of obtaining consent, the guidance stops short of giving definitive guidance on achievement of compliance, leaving it to organizations to review their cookie use and consider how necessary content may be obtained. Both the UK government and the ICO have not ruled out the use of browser settings to achieve future compliance. Most browser settings do not possess enough sophistication to allow the assumption of cookie use consent from the user. In addition, not every user employs a browser to visit the Walton site. A mobile device application may be used and thus, organizations such as Walton, which utilize cookies, have to gain consent in some other way. Question # 4 Clarifications and Revision of Employment Contract As a potential employee of the Walton Web Office, he/she should strive for clarification on several issues and revisions before signing the employment contract. Regarding clause EC3, the employee should seek to know whether the information that they store in the company’s database is retrievable in case they stop working for the company for one reason or another. It would also be prudent to ensure that one seeks clarification regarding what constitutes personal use of the office hardware equipment and whether the use of corporate laptops by non-office staff is considered wrong. Clarification on rule EC5 should also be sought in case of utilization of mobile browsers during the course of task completion. Since these devices are considered as personal devices, it would be prudent to seek clarification on whether information collected using these data also needs to be treated in the same way as it would be treated if collected using official equipment. If the data stored in personal devices were required during an investigation, what would be the criteria of retrieving these data? Knowing this will prevent a feeling of violation if the data are ever required. The potential employee also needs to seek clarification of EC6, which details that he or she needs to follow the policies of the company while also complying with any additional policies that the client may impose. However, it does not provide the course of action to be taken if the two stakeholders are in conflict. If the policies of the company would be in conflict with the client’s stated requirements, an employee would be in a tight spot, and it is fair that he or she acts to determine what they would need to do in such a scenario. The rule does not state whether the use of Walton Web Security on client sites should require the client to give consent before the installation of the Walton Web Security. References Nelson, B., 2012. Computer forensics and investigations. Boston: Thomson/Course Technology. Read More